DONALDSON Co INC 10-K Cybersecurity GRC - 2024-09-27

Page last updated on September 27, 2024

DONALDSON Co INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-27 14:25:49 EDT.

Filings

10-K filed on 2024-09-27

DONALDSON Co INC filed a 10-K at 2024-09-27 14:25:49 EDT
Accession Number: 0000029644-24-000111

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Strategy and Risk Management Donaldson recognizes the critical importance of cybersecurity. Protecting the confidentiality, integrity and availability of our data, we focus on building resilience into the very fabric of our enterprise digital ecosystem. Our cybersecurity program is comprehensively integrated within our enterprise risk management and encompasses the enterprise information technology (IT) and operational technology (OT) environments. Our cyber risk management program controls are based on industry-recognized best practices and standards, including the National Institute of Standards and Technology (NIST) Cyber Security Framework and the International Organization for Standardization (ISO) 27001 information security management system requirements. Our cybersecurity processes include the following: Technical safeguards - We seek to maintain an information technology infrastructure that implements risk-based physical, administrative and technical controls to safeguard our information systems and information stored on our networks, including customer information, personal information, intellectual property and proprietary information. Cybersecurity incident response plan and testing - We perform 24x7 security monitoring and execute a cybersecurity incident response plan with a dedicated team to respond to cybersecurity incidents. When a potential material cybersecurity incident is identified, we deploy cross-functional teams responsible for leading the initial assessment of priority and severity, and external experts may also be engaged as appropriate. Our cybersecurity teams prioritize responses to incidents depending on severity levels. We continuously improve our cybersecurity incident management plan through periodic tabletop exercises or simulations at the enterprise and business levels. Education and Awareness - We require annual training for personnel for information security, including information about the latest cybersecurity threats. To equip employees with the knowledge to identify potential risks with tools to report any suspicious activities, we implemented monthly phishing exercises that encompass various real-life simulations. We also practice scenario-based simulation drills, such as tabletop exercises for employees and contractors, to enhance awareness and vigilance of potential threats. For fast-developing threat situations, we utilize enterprise-wide corporate communication channels to broadcast security alerts for the timely delivery of important information to our employees. Technology managed by third parties - We have IT systems essential to business operations managed by third parties. These systems process, transmit, store electronic information and manage or support a variety of business processes and activities. Before any engagement, we conduct holistic risk assessments of third-party providers. We scrutinize multiple dimensions of risk factors including information security, regulatory compliance and architectural design. We established monitoring procedures to mitigate risks related to data breaches or other security incidents originating from third parties. Third-party assessments of the Company - We regularly engage third-party consultants, legal advisors and audit firms in evaluating and testing our risk management processes, compliance with international standards and regulations, and assessing potential cybersecurity threats, as appropriate. Any recommendations are tracked with senior IT ownership and timelines for remediation. We consider cyber risks among the top risks for us within our enterprise risk management framework. This framework includes internal reporting at the business and enterprise levels, with consideration of key risk indicators, trends and countermeasures for cybersecurity and other types of significant risks. As of the date of this Form 10-K, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, and that are required to be reported in this Form 10-K. We do not believe we have experienced any risks from cybersecurity threats or previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, our business strategy or our results of operations or financial condition, including for any of the three years ended July 31, 2024, 2023 or 2022. For further discussion of the risks associated with cybersecurity incidents, refer to the cybersecurity risk factors in Item 1A, “Risk Factors” in this Form 10-K. 14 Cybersecurity Governance Our board of directors has oversight of overall risk management, prioritizing the most significant risks including strategic, operational, financial and legal compliance risks. The board’s risk oversight process builds upon management’s risk management processes, which include processes for identifying, assessing and managing material risks from cybersecurity threats. The board implements its risk oversight function primarily through its audit committee, which receives reports about our practices, programs, notable threats or incidents, and other developments related to cybersecurity throughout the year. To this extent, the audit committee receives information about cybersecurity risks as part of our enterprise risk management framework and reporting. The audit committee then assesses implemented cybersecurity controls to monitor and evaluate the mitigation of cybersecurity risks. Our Chief Information Officer (CIO) provides annual reports, with additional updates as necessary to the board of directors. Our CIO also attends annual audit committee meetings and provides cybersecurity updates which include specific cybersecurity topics, covering material risks and threats. Our CIO oversees the cybersecurity program. With an extensive background in the IT industry, our CIO has previously been in multiple CIO positions and other top global leadership roles that drove digital transformation and owned technology from end to end. Our CIO leads a cross-functional information security team, comprised of experienced professionals from the global infrastructure and cybersecurity, legal and compliance organizations. Beyond information technology, this leadership team also partners with our Enterprise Operations team managing the operational technology security of our manufacturing facilities.

Company Information