EMERSON ELECTRIC CO 10-K Cybersecurity GRC - 2024-11-12

Page last updated on November 12, 2024

EMERSON ELECTRIC CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-12 07:01:57 EST.

Filings

10-K filed on 2024-11-12

EMERSON ELECTRIC CO filed a 10-K at 2024-11-12 07:01:57 EST
Accession Number: 0000032604-24-000041

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C - CYBERSECURITY Emerson has a cybersecurity risk management program that is designed to assess, identify, manage, and govern material risks from cybersecurity threats. Emerson maintains oversight of its cybersecurity risk management program through a governance structure that includes senior management, the Audit Committee and the Board of Directors (the “Board”). Emerson’s cybersecurity risk management program leverages multiple layers of security controls across the Company’s systems designed to establish risk treatment plans and regularly monitor risks. Emerson maintains cybersecurity policies and standards aligned with industry standard control frameworks and applicable regulations, laws and standards, and a global incident response plan. Emerson’s Board directly, or through its appropriate committees, provides oversight of management’s efforts to mitigate cybersecurity risk and response to cyber incidents. The Board and/or its appropriate committees receive regular updates on cybersecurity from management and engage in discussions throughout the year, including with subject-matter experts as appropriate, on the function of the Company’s overall cybersecurity program, cybersecurity risks, strategies for addressing these risks and the implementation thereof. The Audit Committee has oversight responsibility for the Company’s enterprise cybersecurity risks. The Board also receives reports on cyber events, as appropriate, including response efforts, legal obligations and outreach and notification to regulators and/or customers when needed, as well as provide guidance to management as appropriate. Emerson’s Chief Information Security Officer, who has over twenty-five years’ experience in information technology within the engineering and technology industries, with the last fourteen years dedicated to cybersecurity, oversees the Company’s enterprise cybersecurity risk management program. The Chief Information Security Officer leads the global enterprise security team responsible for leading enterprise-wide information security strategy, architecture, processes, as well as assessing, identifying, and managing cybersecurity risks, which is an integrated aspect of our overall enterprise risk management program. The Chief Information Security Officer provides regular updates to senior management on key security performance indicators of our enterprise cybersecurity program. The Chief Information Security Officer also provides quarterly briefings on cybersecurity to the Audit Committee. Emerson maintains a centralized 24x7x365 global incident response operation, managed by the global enterprise security team, supported by leading cybersecurity tools that detect and respond to threats as they occur. Every detected cyber incident is reviewed and assessed by Emerson’s Computer Incident Response Team in accordance with our incident response plan, which contains documented escalation paths and is regularly tested. Emerson engages independent third-party cybersecurity experts to evaluate our cybersecurity maturity and test effectiveness of overall cybersecurity controls. To test and reinforce Emerson’s internal cybersecurity processes, the Company utilizes an accredited and independent third party to audit and certify key elements of our primary data centers, cloud environments and our enterprise IT organization. The audits are conducted according to International Organization for Standardization (ISO) 27001 Framework, although this is not meant to imply that we meet all technical standards, specifications or requirements under ISO 27001. In addition to performing periodic, internal security reviews, the Company also conducts cybersecurity tabletop exercises led by third party cybersecurity consulting firms from time to time, with the last such engagement occurring in 2023. Emerson relies on third-party service providers for certain critical or key infrastructure, solutions, and services across our operations. Emerson has an internal vendor management team that assesses risks from vendors and suppliers that provide, amongst other things, key information and supply chain services to Emerson. Emerson maintains a Cybersecurity Awareness Team, within the global enterprise security team, responsible for driving a global information security culture through awareness and education programs. It has created company-wide information security policies and procedures, reviews these regularly and makes them electronically available to our employees. The team works closely with subject matter experts to create educational material and communicate best practices to the company through online training, custom video content, simulated phishing attacks and a variety of other targeted touchpoints. To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our business, our business strategy, our results of operations or financial condition. In the event an attack or other intrusion were to be successful, we have a response team of internal and external resources engaged and prepared to respond. See Item 1A - “Risk Factors” for additional information. 12

Company Information