Zurn Elkay Water Solutions Corp - (ZWS)
10-K Filing Date: February 06, 2024
ITEM 1C. CYBERSECURITY.
Zurn Elkay’s management and Board recognize the importance of robust oversight of cybersecurity risk, information security, and technology risk in maintaining the trust and confidence of our customers, partners, employees, and stockholders. The Audit Committee, on behalf of the Board, oversees the Company’s material financial and other risk exposures, including risks related to cybersecurity. Our Board has extensive cybersecurity experience, including two members of the Audit Committee who have received a certificate in cybersecurity oversight from the Carnegie Mellon University Software Engineering Institute. Cybersecurity risk also is monitored, assessed and managed as part of the Company’s integrated Enterprise Risk Management program on an ongoing basis. A cybersecurity governance council, comprised of executive leaders, meets at least quarterly to review the Company’s cybersecurity program and its effectiveness. This cybersecurity governance council receives updates and reports from the Company’s global cybersecurity team (discussed below) on the cybersecurity program and its effectiveness relating to the prevention, detection, mitigation and remediation of cybersecurity incidents. The Chief Information Officer (CIO) provides periodic updates to the Audit Committee on any material initiatives and key updates on the cybersecurity program and its effectiveness, including any material threats. The CIO also provides an annual update regarding information security to the full Board. The CIO has more than 35 years of information technology experience, including approximately 17 years serving as a CIO.
To assess, identify and manage material risks from cybersecurity threats and to prevent, detect and respond to cybersecurity threats, including threats associated with the use of third-party service providers, the Company has a robust cybersecurity program. The Company’s global cybersecurity team, overseen by the CIO, implements policies and procedures and uses a balanced approach to validate the effectiveness of the program, leveraging third party expert security resources, information technology resources, executive business leadership, internal and external audit, third-party vendors and other IT and business partners. The program uses a combination of standards and best practices from the National Institute of Standards and Technology, Center of Internet Security, third-party vendor partners, and other industry forums. Annually, the program is assessed both internally and externally, including a thorough industry benchmarking, maturity assessments, best practice reviews, and risk assessments, with control validation occurring monthly internally (focused on core critical controls), quarterly (focused on vulnerabilities/cyber-incident simulations) and annually (focused on a review of best practices) via third-party vendors and partners, and annually via external third parties, including the conduct of internal/external penetration tests and tabletop exercises. Third-party service providers are assessed initially based on security questionnaires and the access of third-party service providers is audited annually and/or with any change in circumstances. Third-party service providers are also monitored through a combination of security information and event management technology and managed detection response services. The CIO provides key results and findings from these assessments to the cybersecurity governance council and Audit Committee. The Company has a robust incident response plan intended to help provide timely remediation to cybersecurity incidents and also to help provide notice of any material incidents to the appropriate internal and external entities.
To help associates acquire the knowledge to support the protection of our environment, the Company provides comprehensive annual security awareness training, periodic information updates, and regular testing/training programs. In addition, the Company annually purchases a cybersecurity insurance policy.
The Company depends heavily on information technology infrastructure to manage our business objectives and operations, support our customers’ requirements and protect sensitive information. To date, the Company has not experienced a cybersecurity threat or cybersecurity incident that has materially affected the Company, including our business strategy, results of operations or financial condition. While the Company has a robust cybersecurity program in place and has taken steps to maintain and enhance its cybersecurity, a material security breach could impede the Company’s ability to carry on business in the normal course.
As we have previously described in Item 1A, Risk Factors, there have been significant and increasing instances of data and security breaches, malicious interference with technology systems and industrial espionage involving companies in numerous industries, including cloud providers, and cybersecurity threats are becoming more complex. In addition, at times a large percentage of our workforce may be working remotely in response to outbreaks of infectious disease, which may heighten these risks. While we have taken steps to maintain and enhance our cybersecurity by implementing additional security technologies, internal controls, network and data center resiliency, redundancy and disaster recovery processes and backup systems, upgrading our remote work environment and by obtaining insurance coverage, these measures may be inadequate and our technology systems could be vulnerable to disability, failures, or unauthorized access. As a result, any inability by us to successfully manage our information systems, or respond effectively to any attack on or interference with our systems, including matters related to system and data security, privacy, reliability, compliance, performance and access, problems related to our systems caused by natural disasters, security breaches or malicious attacks, and any inability of these systems to fulfill
22
their intended business purpose, could impede our ability to record or process orders, manufacture and ship in a timely manner, account for and collect receivables, protect sensitive data of the Company, our customers, our employees, our suppliers and other business partners, comply with our third party obligations of confidentiality and care, or otherwise carry on business in the normal course. Any such events could require costly remediation beyond levels covered by insurance and could cause us to lose customers and/or revenue, including as a result of legal or regulatory claims or proceedings, or damage our reputation, any of which could have a material adverse effect on our business and operating results. We are also subject to an increasing number of evolving data privacy and security laws and regulations that impose requirements on us. We collect, store, access and otherwise process various types of confidential or sensitive data, including proprietary business information, personal data and other information that is subject to privacy and security laws, regulations and/or customer-imposed controls. Failure to comply with such laws and regulations could result in the imposition of fines, penalties and other costs.
23