DEERE JOHN CAPITAL CORP 10-K Cybersecurity GRC - 2024-12-12

Page last updated on December 12, 2024

DEERE JOHN CAPITAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-12 12:59:18 EST.

Filings

10-K filed on 2024-12-12

DEERE JOHN CAPITAL CORP filed a 10-K at 2024-12-12 12:59:18 EST
Accession Number: 0001558370-24-016174

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY . Cybersecurity is an integral part of our overall risk management efforts and is integrated with John Deere’s overall risk management framework. We take a comprehensive approach by incorporating industry best practices to guide and evaluate our cybersecurity strategy and posture, involving key stakeholders in oversight and decision making, and assessing the program regularly within a dynamically changing environment. We leverage a multifaceted approach to cybersecurity including measures designed to prevent, detect, and respond to cyberthreats while monitoring and adapting to the evolving threat and technology landscapes. Governance At the management level, we and John Deere jointly maintain a dedicated global team of cybersecurity professionals (Cybersecurity Team) led and managed by John Deere’s Chief Information Security Officer (CISO). The Cybersecurity Team is responsible for overseeing John Deere’s and our cybersecurity program, including the assessment and management of risks. The Cybersecurity Team has members with experience in governance, risk management and compliance, threat monitoring, threat emulation, penetration testing, and cyber incident management. John Deere’s CISO holds a degree in Management Information Systems and has been with John Deere for over ten years. He has over two decades of extensive experience in information technology and cybersecurity and reports directly to John Deere’s Chief Information Officer. In addition, a cross-functional team of senior executives from across the John Deere enterprise known as the Digital Risk Governance Council (DRGC) provides oversight at the management level of our and John Deere’s structures for managing digital risk, including the Cybersecurity Team. The Audit Review Committee (ARC) of the Deere & Company Board of Directors (Board) shares oversight responsibilities of our cybersecurity program, including oversight of related risks, with the full Board. Information on trends, strategic initiatives, and metrics is presented quarterly to the ARC by the CISO and/or members of the Cybersecurity Team. The ARC also receives periodic updates and information from subject matter experts in areas such as risk management, identity and access management, product security, and information technology. Risk Management and Strategy Our and John Deere’s cybersecurity program is designed to identify, protect, detect, respond to, and recover from cybersecurity threats and incidents with the goal of protecting the confidentiality, integrity, and availability of our critical systems and information. We use a risk-based, multi-layered information security strategy to assess, identify, and manage risks from cybersecurity threats. The Cybersecurity Team meets frequently to monitor, assess, and address cybersecurity threats and incidents. We and John Deere also work with third parties to assess the maturity of our cybersecurity program, leveraging the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). We also utilize third-party service providers as a normal part of our business operations. We have established processes to support us in identifying and managing cybersecurity risks associated with the use of third parties, which include the completion of due diligence before engaging with a third-party, controls for response to mitigate any significant risks, and assessments and reviews throughout the relationship. Monitoring such risks and threats is integrated into our overall risk management program. Also, as part of the program, we periodically conduct cybersecurity awareness training including phishing simulations as well as e-learning for employees. We maintain cybersecurity policies, standards, and procedures, which include a cyber incident response plan. These policies and procedures are regularly evaluated and refined with strategies and protocols designed to adapt to changing regulations and emerging security risks. Regular exercises, tests, incident simulations, and system assessments are conducted to discover and address potential vulnerabilities and improve decision-making, prioritization, monitoring, and overall response effectiveness. As part of our incident response plan, the Cybersecurity Team uses an established protocol to assess the severity of cybersecurity incidents. In addition, a cross-functional Cybersecurity Incident Response Team is responsible for cybersecurity incident oversight and response, as needed, depending on incident severity. Our cyber incident response plan also includes an escalation process to relevant senior management and/or members of the Board if a cybersecurity incident meets specific rating criteria to prompt response to attempt to minimize potential disruptions and protect the integrity of our operations. Based on the information available as of the date of this Annual Report on Form 10-K, cybersecurity risks, including as a result of any previous cybersecurity incident, have not materially affected, and are not reasonably likely to materially affect, our business strategy, results of operations, or financial condition. However, we have seen an increase in cyberattack volume, frequency, and sophistication in the digital environment.

Company Information