Otis Worldwide Corp - (OTIS)
10-K Filing Date: February 02, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
The security of our products, services and corporate network is a key priority for our business. We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats (as defined in Item 106(a) of Regulation S-K). These risks include, among other things, operational risks, intellectual property theft, fraud, extortion, harm to employees, customers, business partners or the riding public, violation of privacy or security laws and other litigation and legal risk, and reputational risks.
Otis has taken a risk-based approach to cybersecurity, which considers the sensitivity and volume of the relevant data, the potential effects on third parties and individuals, the needs of our business, and the costs and / or practicality of remediation. Based on this qualitative and quantitative assessment, we determine if identified cybersecurity risks are at an acceptable level, or should be mitigated or transferred.
We have implemented cybersecurity policies throughout our operations, including designing and incorporating cybersecurity, as appropriate, into our products and services while they are being developed. Our enterprise risk management (“ERM”) process considers cybersecurity threat risks alongside other company risks as part of our overall risk assessment process. Additionally, cybersecurity functional groups incorporate external research and intelligence gathering to keep the organization informed of new and evolving cyber risks.
We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage material risks from cybersecurity threats, and to protect against, detect and respond to cybersecurity incidents (as defined in Item 106(a) of Regulation S-K), including, among others, the following:
•established a global Security Operations Center to support visibility to cybersecurity incidents in real time;
•require all salaried Otis colleagues to complete an annual cybersecurity training program where specific threats and scenarios are highlighted based on our analysis of current risks to the organization;
•conduct regular phishing email simulations for employees and contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats;
•maintain a robust Cybersecurity Incident Response Plan, which provides a framework for handling cybersecurity incidents based on, among other factors, the potential severity of the incident and facilitates cross-functional coordination across Otis;
•periodically run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies;
•maintain cybersecurity insurance and regularly review our policy and levels of coverage based on current risks;
•monitor emerging data protection and cybersecurity laws, and implement changes to our processes, systems and offerings designed to comply, and through policy, practice and contract (as applicable) require employees, as well as third parties who provide services on our behalf, to treat customer information and data with care;
•conduct several cyber-specific internal audits per year; and
•engage consultants and other third parties in connection with our cybersecurity practices.
As part of the above processes, we conduct monthly third-party scanning of our network.
21
Otis also applies a risk-based approach to mitigate cybersecurity risks associated with our use of third-party service providers, including those in our supply chain that have access to our customer and employee data or our systems. Third-party risks are included within our ERM process. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform due diligence on third parties that have access to our most critical systems, data or facilities that house such systems or data, and based on our risk assessment put in place contractual undertakings and oversight, to manage and reduce the risks associated with such third-party vendors. Such contractual undertakings include requirements to comply with administrative, technical and physical safeguards to satisfy the requirements for certification under ISO 27001, to provide notification of cyber incidents involving our systems or data and an agreement to be subject to cybersecurity audits, which we conduct as appropriate.
While Otis has not experienced a material cybersecurity incident to date, please see Item 1A in this Form 10-K for more information regarding cybersecurity-related risks that could materially affect our business strategy, results of operations, or financial condition, under the headings “Information security, data privacy and identity protection may require significant resources and present certain risks to our business, reputation and financial condition”, “Our business and financial performance depend on continued substantial investment in information technology infrastructure, which may not yield anticipated benefits, and may be adversely affected by cyber-attacks on information technology infrastructure and products and other business disruptions” and “We depend on our intellectual property, and have access to certain intellectual property and information of our customers, suppliers and distributors; infringement or failure to protect our intellectual property could adversely affect our future growth and success”.
Cybersecurity Governance
Otis has established a three-level governance model for managing cybersecurity risks. Cybersecurity risks are overseen by the Audit Committee of our Board of Directors (the "Board"). Our Chief Digital Officer (“CDO”) and Chief Information Security Officer (“CISO”) regularly brief the Audit Committee and other members of the Board on the Otis Cybersecurity Program and cyber-threat landscape, including twice in 2023. Our Cybersecurity Program is directed by both our CDO and CISO and we have established a Cyber Governance Council and Steering Committee made up of senior management (including our CEO). These committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
Members of our Board also received briefings on risks associated with generative artificial intelligence, data protection (including data privacy laws) and our IT infrastructure in 2023. In 2022, in addition to periodic briefings on cybersecurity, the Audit Committee members participated in a simulated cybersecurity incident tabletop exercise and toured our Security Operations Center. Several members of our Board hold a CERT Certificate in Cybersecurity Oversight issued by the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and in early 2023, two members of our Audit Committee attended a continuing education class related to cybersecurity through the National Association of Corporate Directors (“NACD”).
Our CDO and CISO collectively have over 20 years of prior work experience in various roles involving managing information security, developing cybersecurity strategy and implementing effective information and cybersecurity programs, as well as relevant degrees and certifications, including Certified Information Security Manager certification and NACD Cyber training. All Otis colleagues engaged in cybersecurity are required to have a baseline certification (such as Security+, CISSP or CISM), as well as an operational cyber certification (for example, incident response or forensics analysis).
22