ACUITY BRANDS INC 10-K Cybersecurity GRC - 2024-10-28

Page last updated on October 28, 2024

ACUITY BRANDS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-28 16:06:01 EDT.

Filings

10-K filed on 2024-10-28

ACUITY BRANDS INC filed a 10-K at 2024-10-28 16:06:01 EDT
Accession Number: 0001144215-24-000085

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Our management and Board of Directors recognize the importance of maintaining the capacity, reliability, and security of our information technology environment and data security infrastructure. Both management and the Board of Directors are actively involved in our enterprise risk management process, which specifically identifies cybersecurity as a key risk to us. To address cybersecurity risk, we have instituted policies, processes, and internal controls aligned with the framework established by the Secure Controls Framework, a meta-framework that reflects the standards of multiple security frameworks including those of the National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO). The focus of our cybersecurity program is to preserve the confidentiality, security, and availability of our systems and data, mitigate cybersecurity threats, and effectively respond to and recover from cybersecurity incidents when they occur. Material Cybersecurity Risks, Threats, and Incidents While prior compromises of our security have not had, individually or in the aggregate, a material impact on our operations and/or financial condition, the Company expects risks from cybersecurity threats, including, but not limited to, security breaches, viruses, malware, ransom attacks, other cyber-attacks, or other similar threats, to continue as events of this nature are becoming more sophisticated and frequent, and the techniques used in such attacks change rapidly. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, Risk Factors , which should be read in conjunction with the foregoing information. Cybersecurity Risk Management and Strategy We have established and implemented processes to assess, identify, and manage material cybersecurity risks. Our cybersecurity risk management efforts are led by our Chief Information Security Officer (“CISO”). We deploy technical safeguards designed to protect the Company’s information systems from cybersecurity threats, including firewalls, network access control, end point protection, privileged access management, user behavior analytics, and multi-factor authentication, among others, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. We also perform robust security reviews of third-party software vendors prior to purchasing their software or engaging their services. We maintain a comprehensive, risk-based, third-party risk management process to identify, oversee, assess, and manage cybersecurity risks presented by third parties, including vendors, service providers, and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Cybersecurity risks are identified and responded to by our cybersecurity team lead by our CISO. Cybersecurity incidents are managed, evaluated, investigated, and responded to in accordance with the Company’s documented Cyber Incident Response Plan (“CIRP”). The CIRP is administered by the Cyber Incident Response Team (“CIRT”), which is overseen and managed by the CISO. We test and evaluate the CIRP on at least an annual basis through tabletop exercises designed to achieve incident readiness and promote cybersecurity awareness. We also from time to time engage third parties, including assessors and consultants, and our internal audit function to perform assessments, reviews, and audits on our cybersecurity measures. The results of such assessments, reviews, and audits are reported to the Audit Committee of the Board of Directors as well as the CIRT. We adjust our CIRP and other cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, reviews, and audits. Governance Our Board of Directors, in coordination with the Audit Committee of the Board of Directors, oversees the Company’s overall enterprise risk management process, including the management of risks arising from cybersecurity threats. The Audit Committee is responsible for reviewing and discussing with management our risk exposure to cybersecurity risks and the steps management has taken to monitor and control the Company’s exposure to risk. Additionally, the Board of Directors and the Audit Committee of the Board of Directors each receive regular presentations and reports on cybersecurity risks as well as prompt and timely information regarding any cybersecurity incident identified as significant by our CISO or Chief Privacy Officer, as required by the CIRP, and ongoing updates regarding any such incident until it has been addressed. On an annual basis, the Board of Directors and the Audit Committee of the Board of Directors discuss the Company’s approach to cybersecurity risk management, as well as our overall risk management strategy, with the members of senior leadership, which includes the Company’s CISO, Chief Executive Officer, and Chief Financial Officer. The Audit Committee also receives periodic updates on risk management and enterprise risk management, including cybersecurity, throughout the year. Our CISO has over three decades of relevant experience across the information technology landscape. His work experience has included managing cybersecurity risks at large multinational companies. Reporting to our CISO and leading a team of security engineers is our Vice President, Enterprise Security, who also has decades of experience architecting and deploying secure network, system, and data center infrastructure as well as designing and deploying processes and technology platforms that are designed to protect the enterprise from cybersecurity threats. In addition to board oversight and the presence of a cybersecurity team, we provide all applicable employees and contractors with cybersecurity awareness training and testing on an annual basis. We also deliver phishing exercises to all applicable employees and select contractors, as well as targeted phishing training to select employees and contractors, on a quarterly basis. Our product development teams keep current through specialized training on secure development practices for firmware, software, and hardware. Our training programs are designed to educate our employees on current cybersecurity risks and the programs we have in place that are designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans. To facilitate the success of the Company’s cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO monitors the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents in real time and reports such threats and incidents to the Audit Committee when appropriate.

Company Information