CARRIER GLOBAL Corp - (CARR)

10-K Filing Date: February 06, 2024
ITEM 1C. CYBERSECURITY

Impact of cybersecurity risks on business strategy, results of operations or financial condition.

As discussed under the “Risk Factors” heading in this Annual Report, our business has been and may again in the future be impacted by disruptions to our IT infrastructure or our third-party providers’ IT infrastructures from (among other causes) cybersecurity-based risks, including attacks (i) on our IT infrastructure (ii) targeting the security, integrity and/or availability of hardware and software; (iii) exploiting weaknesses or vulnerabilities in products, or capturing information installed, stored or transmitted in our products (including after the purchase of those products and when they are installed into third-party products); and (iv) on facilities or similar infrastructure.

Risk Management and strategy.

We mitigate cybersecurity risks (and other material risks) through our enterprise risk management (“ERM”) program, which is a company-wide effort, managed by senior executives and overseen by our Audit Committee and Board of Directors to identify, assess, manage, report and monitor material risks that may affect our ability to achieve our business objectives.

In connection with the ERM process, cybersecurity risks, including those relating to risks posed by our use of third-party service providers, are assigned to cross-functional management committees responsible for identifying and classifying the cybersecurity risks in accordance with our ERM risk rating methodology, and developing and administering risk mitigation and incident response plans. These cross-functional management committees regularly meet to review current and emerging cybersecurity risks and maintain policies and procedures governing the evaluation and classification of such risks.

26


Cybersecurity risks deemed to be critical are reviewed by a Critical Threat Committee, which is comprised of members of our senior leadership team including our Chief Financial Officer, Chief Legal Officer, Chief Digital Officer, Chief Operating Officer, Chief Technology Officer, and Controller. The Critical Threat Committee reviews the risk and mitigation plan with the applicable cross-functional management team and facilitates notification to the Audit Committee of emerging critical cybersecurity risks. The Audit Committee and the Board of Directors receive regular briefings on cybersecurity risks. See “—Governance” below for further discussion of governance of our cybersecurity program.

In the event of a cybersecurity incident, we maintain incident response plans to investigate, classify, respond to, and manage cybersecurity incidents that may compromise the availability or integrity of our information systems, network resources, or data. In accordance with the incident response plans, cross-functional management teams assess and assign a threat level to each cybersecurity incident. A cybersecurity incident (or incidents, if aggregated together) assigned a critical threat level is escalated to the Critical Threat Committee for review.

To ensure that our employees are equipped to identify and mitigate material cybersecurity incidents and to empower them to help us maintain a secure environment for our operations and data assets, we utilize a multifaceted training approach aimed at fostering a culture of security awareness and responsibility among all employees. These tailored programs are designed and updated to address evolving threats and industry best practices. In addition to annual cybersecurity training for employees and contractors and simulated phishing email campaigns, our cybersecurity teams conduct tabletop exercises with our senior management team. Our cybersecurity teams also oversee a security assessment process that is used to screen our third-party service providers for cybersecurity vulnerabilities based on the level of inherent risk they pose to the company or our customers, based on factors including but not limited to the products or services they provide and their ability to access our information systems, network resources, or data.

We engage and retain outside consultants and legal advisors and we are members of several cybersecurity industry groups to keep us apprised of emerging cybersecurity risks, defense and mitigation strategies and governance best practices. Many of our processes and procedures have been independently audited and assessed against some of the leading international cybersecurity standards and programs.

Cybersecurity threats are constantly evolving, are becoming more frequent and more sophisticated and are made by groups of individuals with a wide range of expertise and motives which increases the difficulty of detecting and successfully defending against them. However, to date, cybersecurity threats have not materially affected us, including our business, strategy, results of operations or financial condition.

Governance

Our cybersecurity programs, including the cross-functional management committees responsible for identifying, assessing, and mitigating cybersecurity risks and incidents, are owned by our Chief Information Officer. Day-to-day administration of the cybersecurity programs are led by our Chief Information Security Officer and Chief Product Security Officer who collectively possess over 30 years of experience related to cybersecurity issues in both the private and government sectors, and possess certifications including but not limited to Certified Information Systems Security Professional ("CISSP") and Certified Information Security Manager ("CISM").

Cybersecurity risk oversight continues to remain a top priority for the Board of Directors. Although the Audit Committee maintains primary responsibility for oversight of cybersecurity risks through the ERM program, responsibility related to oversight of cybersecurity risks is also delegated to other committees in alignment with their focus charter responsibilities. For example, the Technology and Innovation and Governance Committees assist with the cybersecurity programs through their oversight of our technology, digital, and innovation strategies and product integrity program, respectively.

The Critical Threat Committee is also responsible for evaluating the materiality of a cybersecurity incident based on criteria that has been reviewed with the Board of Directors, and for determining whether there are disclosure obligations under applicable securities laws. In the event that the Critical Threat Committee determines that a critical cybersecurity incident (or incidents, if aggregated together) is deemed to be material, the Critical Threat Committee will brief the Board of Directors and oversee the disclosure process. For all critical cybersecurity incidents that are not deemed to be material, the Critical Threat Committee will notify the Chairman of the Board to determine whether the Board of Directors will be notified of the critical incident during the next regularly-scheduled cybersecurity update to the Audit Committee, or sooner as circumstances warrant.

27