Crane NXT, Co. 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

Crane NXT, Co. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 16:19:00 EST.

Filings

10-K filed on 2025-02-20

Crane NXT, Co. filed a 10-K at 2025-02-20 16:19:00 EST
Accession Number: 0001628280-25-006754

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our enterprise risk management includes a comprehensive cybersecurity risk management program with policies, standards, processes and practices based on recognized industry standards and frameworks such as the National Institute of Standards and Technology (NIST), Cybersecurity Framework (CSF) and the Center for Internet Security (CIS) critical security controls. Our cybersecurity program includes regular training for personnel, an incident response protocol tested at least annually as part of our enterprise-wide crisis response program, cybersecurity insurance, and regular assessments through activities such as penetration testing, and compliance audits performed on our information technology networks and systems by both our internal cybersecurity teams and external service providers . Although we have continued to invest in our due diligence, onboarding, and monitoring capabilities over external partners with whom we do business, including our third-party vendors and service providers, our control over the security posture of, and ability to monitor the cybersecurity practices of, such external partners remains limited, and there can be no assurance that we can prevent, mitigate, or remediate the risk of any compromise or failure in the cybersecurity infrastructure owned or controlled by such external partners. When we do become aware that an external partner has experienced such compromise or failure, we attempt to mitigate our risk, including by terminating such external partner’s connection to our information technology networks and systems where appropriate. For more information on cybersecurity risks and how they affect our business, operating results and financial condition, refer to Item 1A, Risk Factors. As of the date of the filing of this Current Report on Form 10-K, we have not identified any risks from a cybersecurity threat or incident that we believe has materially affected or is reasonably likely to materially affect the Company. Governance, Oversight and Leadership Our Board of Directors has charged the Audit Committee with responsibility for monitoring the Company’s processes and procedures for enterprise risk identification, assessment and management, and cybersecurity represents an important component of our overall approach to enterprise risk management. The Audit Committee receives regular reports at least twice annually from our Chief Information Security Officers (“CISO”) on a wide range of cybersecurity topics, including our cybersecurity program’s performance, results of assessments, emerging threats, capability enhancements, and recent developments and trends. Our CISO , who reports to our Chief Financial Officer (“CFO”), leads our cybersecurity program and has more than 20 years of cybersecurity experience. The cybersecurity teams reporting to our CISO are staffed by highly skilled cybersecurity professionals, including both internal staff and external partners, with broad knowledge of cybersecurity issues from experience and through training and certifications. Our cybersecurity teams are responsible for detecting, mitigating, and responding to cybersecurity threats through a network of technologies, capabilities, and best practices on a 24/7 basis. Our CISO, in coordination with our cybersecurity teams, and members of our senior leadership team such as our Chief Executive Officer (“CEO”), CFO and General Counsel (“GC”), works collaboratively across the Company to operate a program designed to protect our business from cybersecurity threats and respond to any cybersecurity incidents in accordance with our incident response and recovery plans in real time. We have established internal reporting processes designed to ensure that our Board of Directors and the Audit Committee receive information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. In the event of a cybersecurity incident, the materiality of the incident will be evaluated and determined with appropriate input from the CEO, CFO, GC, CISO and other key participants in our cybersecurity program, including external advisors to the extent appropriate. 17

Company Information