SMITH A O CORP 10-K Cybersecurity GRC - 2025-02-11

Page last updated on February 11, 2025

SMITH A O CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-11 17:28:15 EST.

Filings

10-K filed on 2025-02-11

SMITH A O CORP filed a 10-K at 2025-02-11 17:28:15 EST
Accession Number: 0000091142-25-000036

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C - CYBERSECURITY Cybersecurity Governance We recognize the importance of maintaining the safety and security of our systems and data and have a holistic process for overseeing and managing cybersecurity and related risks. This process is supported by both our management and our Board of Directors. Our Chief Information Officer (CIO) oversees our information systems and cybersecurity function and reports to our Chief Operating Officer (COO). She has over 30 years of experience in leading information systems management, strategy, and operational execution, including incident management, prevention, and response. Our Senior Director of Global Information Security (ISD) reports to our CIO and is responsible for the protection and defense of our networks and systems and managing cybersecurity risk. He has over 20 years of experience in managing cybersecurity and related risks, including threat identification, incident response, and defense strategies. Our CIO and ISD are supported by a direct and cross-functional team of professionals with broad experience and expertise in threat assessment and detection, mitigation technologies, training, incident response, and regulatory compliance. Our Board of Directors is responsible for overseeing our enterprise risk management activities in general, which includes our management of information and cybersecurity risk. The full Board receives an update on our cyber risk management process and trends related to cybersecurity at least annually, or real-time if a material event occurs. The Audit Committee of the Board assists the full Board in its oversight of cybersecurity risks. As part of its oversight, the Audit Committee receives regular reports from management on information systems and security, including metrics and controls at each meeting, and other items at least annually including risk assessments, security software, incident response plans, and key updates to the cybersecurity program and its effectiveness. We have also established a committee of our executive leadership team to consider cybersecurity risks and to consider mitigation strategies in managing the risk. Our CIO and ISD participate on this committee, which meets regularly. We have an established incident response plan led by our CIO and ISD to assess, respond, and report in the event of a cybersecurity incident. Depending on the nature and severity of the incident, the plan requires escalating notifications up to our CEO, Audit Committee and our Board. Cybersecurity Risk Management Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program consistent with other legal, compliance, strategic, operational, and financial risk areas. Our program is guided by cybersecurity frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), although we also look to other standards to help us identify, assess, and manage cybersecurity risks relevant to our business. The Company has a robust cybersecurity program to assess, identify and manage material risk from cybersecurity threats and to prevent, detect and respond to cybersecurity threats, including those associated with the use of third-party service providers . Our approach to cybersecurity risk management includes: - Cybersecurity awareness training, including interactive simulations and tabletop exercises for our employees, incident response personnel, senior management, and our Board; - Periodic risk assessments designed to help identify significant or potentially material cybersecurity risks to our critical systems, information, and our broader enterprise information technology (IT) environment; - The use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls; - A multi-layered defense and continuous monitoring strategy employing various tools and testing, and incorporating lessons learned from our defense and monitoring efforts to help prevent future attacks; - Regular testing by our Internal Audit function of controls related to our financial information systems; and - Information security assessments conducted on third parties with whom we share sensitive electronic data against established cybersecurity frameworks; While we have experienced cybersecurity incidents in the past, to-date none have materially affected the Company or our financial position, results of operations and/or cash flows. We continue to invest in cybersecurity and the resiliency of our networks, including our controls and processes, all of which are designed in an effort to protect our IT systems and infrastructure, and the information they contain. For more information regarding the risks we face from cybersecurity threats, please see Item 1A - Risk Factors .

Company Information