Johnson Controls International plc 10-K Cybersecurity GRC - 2024-11-19

Page last updated on November 19, 2024

Johnson Controls International plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-19 10:50:07 EST.

Filings

10-K filed on 2024-11-19

Johnson Controls International plc filed a 10-K at 2024-11-19 10:50:07 EST
Accession Number: 0000833444-24-000064

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C CYBERSECURITY Cybersecurity Strategy and Risk Management The Company faces a wide variety of cybersecurity threats ranging from uncoordinated individual attempts to gain unauthorized access to information technology (“IT”) systems to sophisticated and targeted measures known as advanced persistent threats directed at the Company, its products, its customers, supply chain and/or its third-party service providers, including cloud providers. These threats and incidents originate from many sources globally. The Company’s cybersecurity policies, standards, and procedures apply to all users, creating awareness of threats and the importance of information security and cybersecurity across the Company’s workforce. The policies and standards were created using elements of recognized standards such as ISO 27001 and the NIST Cybersecurity Framework for the overall enterprise and ISA/IEC 62443 for automation and control system products. The Company has implemented cybersecurity policies throughout its operations, including designing and incorporating cybersecurity into the development process for its products and services. The Company’s enterprise risk management (“ERM”) process considers cybersecurity threat risks alongside other significant risks as part of the Company’s overall risk assessment process. The Company leverages multiple channels to promote cybersecurity topics, deliver targeted initial and refresher training for all users, and conduct an annual mandatory global information security training campaign with certification, which is translated into 20 languages, and ongoing awareness campaigns. These elements are designed to maintain a risk aware culture. The Company maintains a 24 x 7 operations center that monitors the Company’s IT environment, and coordinates the investigation and remediation of alerts. As cybersecurity events occur, the cybersecurity team focuses on responding to and containing the threat and minimizing impact. In the event of an incident, the cybersecurity team assesses, among other factors, supply chain and manufacturing disruption, data and personal information loss, business operations disruption, projected cost and potential for reputational harm, with participation from technical, legal and law enforcement support, as appropriate. The Company’s vulnerability management program conducts assessments with specified frequencies for specific asset types to validate system health against known threats. The Company leverages multiple tools, which are routinely updated with new threat signatures, to continually respond to evolving threats identified as part of its threat detection capability. The Company also maintains a cybersecurity insurance policy. The Company engages with third parties to perform security assessments of its technology environment to perform penetration testing and maturity assessment as well as providing services to support threat analysis and incident detection and response. Cybersecurity considerations affect the selection and oversight of the Company’s third-party product and service providers. The Company performs due diligence on third parties that have access to its critical systems and data and whose products and services are integrated into the Company’s products. Contractual undertakings and oversight are put in place, based on the results of the risk assessment to manage and reduce the cybersecurity risk associated with such third-party providers. Such undertakings may include requirements to comply with administrative, technical and physical safeguards to provide notification of cyber incidents involving the Company’s systems or data and agreements to be subject to cybersecurity audits, which the Company conducts as appropriate . The Company requires compliance with appropriate certifications (e.g., SOC 2, ISO 27001, etc.) depending on the offering, region of use, and other factors. During the weekend of September 23, 2023, the Company experienced a cybersecurity incident impacting its internal IT infrastructure and applications. The incident caused disruptions and limitation of access to portions of the Company’s business applications supporting aspects of the Company’s operations and corporate functions. The impact of the incident included lost and deferred revenues, primarily attributable to order processing and logistics disruptions and delays, and expenses associated with the response to, and remediation of, the incident. Further, the cybersecurity incident caused disruptions to certain of the Company’s billing systems, which negatively impacted cash provided from continuing operations primarily during the first quarter of fiscal 2024. The overall impact of the cybersecurity incident did not have a material impact on net income, net of insurance recoveries, or cash flows from operations for the full year fiscal 2024. Cybersecurity Governance The Company’s Board of Directors (the “Board”) has oversight of the management of the most significant risks facing the Company, including cybersecurity. The Board receives information technology and cybersecurity updates from senior management, including the Chief Information Officer, Chief Information Security Officer (“CISO”) and Chief Technology Officer, several times per year. These updates cover the cybersecurity risks facing the Company’s enterprise information 27 technology environment, as well as the Company’s digital products and services. Regular oversight of cybersecurity matters is further delegated by the Board to the Governance and Sustainability Committee. The Governance and Sustainability Committee provides a deeper level of oversight through quarterly engagements with senior management, including the Chief Information Officer and CISO, to review the Company’s cybersecurity program, including the highest risk areas and key mitigation strategies. The Company maintains a Cybersecurity Steering Committee (“CSC”) designed to ensure effective governance of risks associated with the Company’s use of information and technology assets and demonstrate effective governance of cybersecurity risk. The CSC is chaired by the CISO, and includes the Company’s Chief Financial Officer, General Counsel, Chief Information Officer, and other senior representatives from the Company’s business segments and functions. The CSC meets quarterly to monitor the current risk landscape and active risk reduction efforts. Through this review and monitoring activity, the CSC oversees effective governance of IT Risk Management in the Enterprise IT Portfolio, drives accountability and transparency of control effectiveness, and facilitates risk remediation and mitigation in a coordinated and comprehensive manner. The CISO is appointed by the Chief Information Officer and is responsible for cybersecurity risk management across the Company. The CISO leads a global enterprise security team responsible for enterprise-wide security strategy, architecture, engineering, and operations. The Cybersecurity Steering Committee has granted authority to the CISO to pause or stop business processes during the execution of cybersecurity incident response duties if they deem it necessary. The CSC maintains approval authority for the Company’s Enterprise Information Security Policy. The CISO has over 20 years of technology experience including cybersecurity, infrastructure, architecture, and data and analytics in highly regulated industries including healthcare and aviation and defense. The CISO has an undergraduate degree in Computer Information Systems .

Company Information