TORO CO 10-K Cybersecurity GRC - 2024-12-18

Page last updated on December 18, 2024

TORO CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-18 12:32:55 EST.

Filings

10-K filed on 2024-12-18

TORO CO filed a 10-K at 2024-12-18 12:32:55 EST
Accession Number: 0000737758-24-000087

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy To protect the confidentiality, integrity, and availability of our critical systems and information, our enterprise risk management framework considers cybersecurity risk alongside other company risks, as part of our overall risk assessment process. We leverage an industry leading framework, the National Institute of Standards and Technology Cybersecurity Framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. We assess our maturity against that framework in partnership with an independent firm on at least an annual basis. We assess and manage our cybersecurity risk using various mechanisms, starting with threat intelligence, which provides us a necessary viewpoint to help us identify trends, understand how certain attacks may affect us, and prepare for evolutions in threat actor behavior that may require changes to our security posture. We monitor emerging trends and regulations related to information security, and implement appropriate changes, as needed, to our cybersecurity risk management program. To drive readiness, we perform periodic adversarial testing of our cybersecurity posture through penetration testing, using both internal resources and external expertise, as well as table-top and “red team” exercises to understand where processes or controls may be insufficient based on adversarial techniques. We have also implemented technical security controls, maintenance of certain backup and protective systems, physical and system securities measures, and data security protocols. We maintain established information security policies and processes; deploy regular network and endpoint software updates on all company-managed systems and workstations to detect and prevent, among others, viruses, malicious code, unauthorized access, and phishing attempts; maintain a disaster recovery plan, and perform at least two disaster recovery exercises annually to validate and optimize our recovery efforts in event of a cybersecurity incident; and regularly engage third-party cybersecurity experts to conduct vulnerability assessments and penetration testing on our information networks, systems, and applications. Our internal audit team performs regular assessments of our program and selected components. We also leverage retrospectives from previous cybersecurity incidents to understand weaknesses and to improve our security controls. We assess our critical suppliers regularly for cybersecurity risk and prescribe remediation activities when necessary. As a part of a collaborative defense approach, we regularly participate in multiple cybersecurity forums to share threat intelligence, best practices, and points of caution. We train our employees through annual security training, phishing simulations, and regular communications about timely cybersecurity topics and threats. We have a documented and well-tested cybersecurity incident response plan that guides us in responding, containing, and eradicating cybersecurity threats that have breached our preventative controls. Examples of relevant processes include steps for: assessing the severity of a cybersecurity threat; identifying the source of a cybersecurity threat, including whether the cybersecurity threat is associated with a third-party service provider; implementing cybersecurity countermeasures and mitigation strategies; and remediating and escalating cybersecurity incidents using cross-functional expertise. Our cybersecurity risk management program also includes risk-based processes related to overseeing and identifying cybersecurity risks associated with the use of third-party providers, including processes related to: conducting cybersecurity assessments of third-party service providers, including cybersecurity obligations in contract with third-party service providers; and receiving and responding to notification of cybersecurity incidents of third-party service providers. We regularly practice technical recovery. Cybersecurity risks related to third-party IT providers and solutions are managed as part of our vendor security protocol that includes vendors, software, and cloud-based service providers. We partner with our vendors to minimize the customer data needed to provide services and ensure compliance with regulations. Vendors are reviewed annually to identify any changes to services, data requirements, and associated security and protections. Where applicable, vendors are contractually bound to protect customer data and support enforcement of all regulatory requirements. We proactively evaluate the cybersecurity risk of third-party IT providers and solutions by utilizing a repository of risk assessments and an external monitoring solution that includes threat intelligence to better inform us during contracting and vendor selection processes. When third-party risks are identified, we require those third-parties to agree by contract to implement appropriate security controls or refrain from doing business with them. Security issues are documented, tracked, and periodic monitoring is conducted for third-parties in order to mitigate risk. The Company also contractually requires suppliers, vendors and other third-parties with access to its information technology systems, sensitive business data or personal information to implement and maintain appropriate security controls and contractually restricts their ability to use the Company’s data, including personal information, for purposes other than to provide services to the Company, except as required by law. Cybersecurity Governance Our cybersecurity program is led by the Senior Manager of our Enterprise IT Security Risk and Compliance team, who reports to the Managing Director of Enterprise IT. The Senior Manager has over 30 years of IT experience, with over 20 years specializing in cybersecurity. He has strategic and operational responsibility for all aspects of the company’s cybersecurity program, including how cyber risks are identified and assessed and how the company prepares for, detects, responds, and recovers from cyber threats. Quarterly cybersecurity program updates and as-needed reporting on cybersecurity incidents are provided to the Chief Executive Officer, Chief Financial Officer, and General Counsel. The Audit Committee of our Board of Directors provides oversight for our cybersecurity program. The Audit Committee receives regular updates from management on the effectiveness of our cybersecurity program, reviews plans on how management will continually advance the program, and receives updates on special topics that help the committee provide effective oversight of the program. Despite our best efforts, we cannot guarantee that our security measures will prevent all potential cybersecurity incidents or breaches. Like most companies, our systems are continually subjected to sophisticated and evolving cybersecurity threats, such as phishing, ransomware, social engineering, and advanced persistent threats. However, to date, we have not been subject to any incidents or successful cyber-attacks that materially impacted our operations or financial condition. Vulnerabilities could lead to significant additional expenses and an adverse effect on our reputation, business, results of operations, financial condition and cash flows. The Company has invested in developing and acquiring cybersecurity capabilities allowing us to monitor threats and manage incident response. We have also developed internal policies to mitigate cybersecurity incidents, including providing clear guidelines for incident classification and response. We recognize the importance of continued monitoring and improvement of our cybersecurity program, and will continue to invest in our security controls, incident response capabilities, and third-party vendor management protocols. Additional information on cybersecurity risks we face is included in Part I, Item 1A, “Risk Factors,” which should be read in conjunction with the information in this section.

Company Information