TE Connectivity plc 10-K Cybersecurity GRC - 2024-11-12

Page last updated on November 12, 2024

TE Connectivity plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-12 12:05:13 EST.

Filings

10-K filed on 2024-11-12

TE Connectivity plc filed a 10-K at 2024-11-12 12:05:13 EST
Accession Number: 0001558370-24-015227

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Our cybersecurity risk management strategy and processes are designed to identify, assess, and manage risks to the confidentiality, integrity, and availability of our information technology environment, systems, and information. The cybersecurity risk management process is managed centrally and is led by our global chief information security officer (“CISO”) who reports to our global chief information officer. Our cybersecurity program takes a risk-based approach and is integrated with our global enterprise risk management program. Our cybersecurity risk strategy is aligned with cyber/information security frameworks and industry standards, including the National Institute of Standards and Technology Cybersecurity Framework. Our cybersecurity program includes the following risk management practices: ● a formal cybersecurity risk assessment is performed annually in collaboration with our enterprise risk management function, resulting in updates to plans and actions that are incorporated into improvement projects; ● our cybersecurity program maturity is benchmarked annually against industry standards and norms. The result serves as a guide to identifying evolving risks, prioritizing improvements, and enhancing the program; ● cybersecurity threats are evaluated throughout the year by our around-the-clock security operations center, utilizing a variety of third-party subscription and threat intelligence data sources and data collected via internal monitoring and scanning processes; ● annual security awareness trainings are required to be completed by employees, and monthly phishing campaigns and additional function-specific cybersecurity trainings are also conducted; ● security and risk metrics are reviewed monthly and reported to leadership quarterly; ● external penetration tests are conducted annually by independent third parties and appropriate actions are taken to strengthen controls; ● a cybersecurity incident response charter and plan, and playbooks are maintained by the cybersecurity incident response team. The plan and playbooks are utilized during table-top exercises and trainings. Participants may include information technology, business, corporate function, and external resources depending on the table-top scenario; and ● third-party supplier security reviews are conducted based on risk. Reviews may include the assessment of security architecture, connections between our systems and the third party, data security controls, and user access controls. To date, we do not believe that any risks from cybersecurity threats, nor any previous cybersecurity incidents, have materially affected our business strategy, results of operations, or financial condition. However, the sophistication of cyber threats continues to increase, and the preventative actions we have taken and continue to take to reduce the risk of cyber incidents and protect our systems and information may not successfully protect against future cyber incidents, which could materially affect our business strategy, results of operations, or financial condition. For additional information on certain risks associated with cybersecurity, refer to the risk factors related to cybersecurity and information technology systems in “Part I, Item 1A. Risk Factors.” Cybersecurity Program Governance Our cybersecurity program is governed by the information security committee (“ISC”), composed of our leaders from information technology, enterprise risk, legal, compliance, strategy, human resources, finance, internal audit, and various business units. On a quarterly basis, the CISO reports to the ISC on topics such as risk mitigation project status, audit results, security metrics, cyber incidents investigated and impact, if any, and significant changes that contribute toward protecting the enterprise from cybersecurity threats. Our CISO has over 20 years of experience in information security leadership roles and over 8 years as our CISO. Nearly half of our board of directors have completed cybersecurity program trainings or have cybersecurity and information security industry experience. Cybersecurity incidents are evaluated by a cross-functional management team based on defined quantitative and qualitative criteria and communicated to leadership. We have cybersecurity and information technology third-party consultants to assist in performing forensic and technical analyses and advising leadership as needed. The cybersecurity committee of our board of directors has oversight responsibility for cybersecurity risks. The CISO provides updates at least twice a year to the cybersecurity committee regarding matters related to information technology and cybersecurity risks including the state of our cybersecurity programs, emerging cybersecurity developments and threats, and our strategy to mitigate cybersecurity risk. Additionally, the full board of directors receives updates on our cybersecurity program twice a year as part of the enterprise risk management meetings.

Company Information