Mueller Water Products, Inc. 10-K Cybersecurity GRC - 2024-11-20

Page last updated on November 20, 2024

Mueller Water Products, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-20 15:36:01 EST.

Filings

10-K filed on 2024-11-20

Mueller Water Products, Inc. filed a 10-K at 2024-11-20 15:36:01 EST
Accession Number: 0001350593-24-000079

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Our Board of Directors maintains oversight responsibility for how we manage risk, and it charges management with assessing and mitigating that risk through the development, implementation and maintenance of our risk management processes including our cybersecurity program. Our internal audit department, which reports to the Audit Committee, administers our enterprise risk assessment and, in coordination with our legal and compliance functions, is responsible for ongoing enterprise risk management assessments. Our internal audit department also regularly reports to the Board of Directors and its committees on risk-related issues. The Audit Committee of the Board of Directors oversees our cybersecurity and data privacy programs and practices and consults with management regarding cybersecurity initiatives. This committee is also responsible for reviewing cyber and data security matters, including cybersecurity threats to us and our risk mitigation initiatives. At least twice a year, the Audit Committee receives updates on our cybersecurity and data privacy programs and practices from our Senior Vice President of Index to Financial Statements Information Technology and our Senior Director of Information Security. The topics reported by the Senior Vice President of Information Technology and our Senior Director of Information Security include updates on cybersecurity threats to us, the status of projects to strengthen our information security systems, assessments of the cybersecurity program, and the emerging threat landscape, as well as the results of any third-party assessments conducted. Our Senior Vice President of Information Technology holds an undergraduate degree in Technology Management (Manufacturing Systems), and has served in various roles in information technology, information security and engineering for over 14 years and within Mueller for four years. Our Senior Director of Information Security holds an undergraduate degree in Computer Engineering and has served in various roles in information technology and information security within Mueller for over 20 years. We have two cybersecurity teams, each dedicated to a specific area. Our Information Technology Cybersecurity team focuses on corporate programs, and our Products Cybersecurity team focuses on customer-facing programs. These teams work collaboratively to implement programs designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. To facilitate the success of our cybersecurity risk management program, these teams are charged with addressing cybersecurity threats and responding to cybersecurity incidents. Through ongoing communications with these teams, the Senior Vice President of Information Technology, the Senior Director of Information Security and the General Counsel monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to the Audit Committee when appropriate. Similarly, the Audit Committee reports cybersecurity threats and incidents to the full Board of Directors as appropriate. Risk Management and Strategy Risk Assessment Our cybersecurity policies, standards, processes and practices are integrated into our enterprise risk management processes and are based on a recognized framework established by the National Institute of Standards and Technology (“NIST”). In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, integrity and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. We have established and maintain comprehensive incident response and recovery plans that detail our planned responses to cybersecurity incidents. These plans are tested and evaluated on a regular basis. We periodically assess and test the policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. Independent Assessments We regularly engage third parties to perform assessments of our cybersecurity programs, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Audit Committee and the Board of Directors, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. Technical Safeguards We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including 24/7 detect and response services, network activity monitoring, phishing prevention, penetration testing and periodic IT security maturity assessments. As part of these efforts, we have engaged third-party cybersecurity providers to help deploy and monitor these safeguards and to assist in the event of a security incident or similar issue by conducting forensics reviews and assisting more broadly with the mitigation and remediation of any such event. Third-Party Risks We maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Index to Financial Statements Education and Awareness All employees are required to complete information security awareness training upon joining the Company. Based on individual phishing test performance and job requirements, additional training may be offered or required on an as-needed basis. Effects and Impacts of Cybersecurity Risks As announced on October 28, 2023, we identified a cybersecurity incident impacting certain internal operations and information technology systems which adversely affected our ability to ship orders in the first quarter of fiscal 2024. All of our facilities were operational by mid-December 2023 and were returned to normalized operations. We incurred $1.5 million of expenses related to the cybersecurity incident in the first fiscal quarter of fiscal 2024. Additionally, we have invested and intend to continue to invest in strengthening our systems, cybersecurity training, policies, programs, response plans and other similar measures. As of the date of this report, except as set forth herein, we are not aware of any risks from cybersecurity threats that have materially affected us, including our business strategy, results of operations or financial condition. For information regarding cybersecurity risks that may materially affect us, see the risk factors titled " If we do not successfully maintain our information and technology networks, including the security of those networks, our operations could be disrupted and unanticipated increases in costs and/or decreases in sales could result ," and " We may fail to effectively manage confidential data, which could harm our reputation, result in substantial additional costs and subject us to litigation " as well as " Cyberattacks and security vulnerabilities could lead to reduced sales, increased costs, liability claims, unauthorized access to customer data or harm to our reputation " under “Risk Factors” in Part I, Item 1A to this Annual Report on Form 10-K. Index to Financial Statements

Company Information