Woodward, Inc. 10-K Cybersecurity GRC - 2024-11-26

Page last updated on November 26, 2024

Woodward, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-26 13:37:22 EST.

Filings

10-K filed on 2024-11-26

Woodward, Inc. filed a 10-K at 2024-11-26 13:37:22 EST
Accession Number: 0000950170-24-130891

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We maintain a cybersecurity risk management program based upon the National Institute of Standards and Technology Cybersecurity framework to assess, identify, and manage cybersecurity risks. This program is designed to protect business continuity and preserve the confidentiality, integrity, and continued availability of our IT systems and infrastructure used in our business as well as the information that we own or is in our care, and is integrated into our overall enterprise risk management program. We have established processes to evaluate and address cybersecurity risks on an ongoing basis. As part of our risk management program, we engage with external third parties to measure the effectiveness of our cybersecurity program through penetration tests, control assessments, tabletop exercises, and other related activities. Further, we have implemented a defense-in-depth strategy in which we utilize real-time 24/7 monitoring to identify anomalies, potential threats, and alerts. This cybersecurity strategy incorporates frameworks, policies, and practices designed to protect the privacy and security of our sensitive information, backed by a suite of security technologies and tools to implement and automate select security protections. We maintain cyber risk and related insurance policies as a measure of added protection. We educate our members to raise awareness of cybersecurity threats. As part of our program, we maintain annual training for all members on cybersecurity standards and provide training on how to recognize and properly respond to 19 phishing, social engineering schemes, and certain other cyber threats. We equip our members with a mechanism to easily report suspicious emails which are analyzed by our security systems and dedicated incident response team. “Test” phishing assessments are periodically sent to our members. Any failures trigger a retraining exercise if not properly reported. Also, we have specific and regular training for our IT and finance members, as well as our system administrators. In addition, we maintain processes governing interconnections with third-party systems and we perform due diligence procedures before onboarding service providers with access to our systems or processing sensitive data on our behalf. This process includes a review of System and Organization Controls (“SOC”) 1 and SOC 2 reports (as each such report is defined by the American Institute of Certified Public Accountants), ISO 27001 certifications, and Cybersecurity Maturity Model Certifications (“CMMC”), as well as reviewing penetration tests, conducting vulnerability tests, and administering security questionnaires and assessments. We are not aware of having experienced risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, risks from cybersecurity threats, including but not limited to exploitation of vulnerabilities, ransomware, denial of service, supply chain attacks, or other similar threats may materially affect us, including our execution of business strategy, reputation, results of operations and/or financial condition. Nonetheless, our IT infrastructure, systems, networks, products, solutions, and services remain potentially vulnerable to numerous additional known or unknown threats. For more information about the cybersecurity risks we face, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K, including the risk factor entitled “Our business and operations may be adversely affected by cybersecurity breaches or other information technology system or network interruptions or intrusions.” Cybersecurity Governance Our cybersecurity program is ultimately overseen by the Board of Directors. The Audit Committee has responsibility for the oversight of risk management activities related to cybersecurity and other information security and technology risks. Our cybersecurity program is implemented and administered by a dedicated team of internal and external cybersecurity professionals that conduct periodic control gap assessments, maturity assessments, and benchmarking against peers in the industry. The team has decades of experience with varied certifications and is led by our Chief Information Officer (“CISO”), who has over 17 years of experience as an IT professional and in cybersecurity and reports to our Vice President of IT. The CISO makes regular reports to senior management regarding the cybersecurity program. We also have a notification process for appropriate escalation of cyber incidents by members of our internal cybersecurity team to senior management as appropriate, including our Chief Executive Officer, Chief Financial Officer, Chief Accounting Officer, and/or General Counsel, as well as to the Audit Committee. Management provides quarterly data protection and cybersecurity reports to the Audit Committee, as well as periodic reports to the full Board of Directors, which include information about cyber risk management, the cybersecurity risk environment, and the status of ongoing efforts to strengthen cybersecurity effectiveness. 20

Company Information