TIMKEN CO 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

TIMKEN CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 12:50:08 EST.

Filings

10-K filed on 2025-02-20

TIMKEN CO filed a 10-K at 2025-02-20 12:50:08 EST
Accession Number: 0000098362-25-000055

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Governance Information security is an integral part of the Company’s overall enterprise risk management program. The Company maintains cybersecurity processes designed to detect and assess the severity of cybersecurity threats and incidents and, where applicable and possible, to identify the source of a threat or incident, including, whether it is associated with the use of third-party service providers. The Company’s processes also include cybersecurity testing, detection, response, prevention and mitigation strategies, conducting contract and vendor due diligence review, and informing management and the Company’s Board of Directors of material cybersecurity threats and incidents. The Company’s information security team also engages third-party security consultants for penetration testing, training and system enhancements. The Company provides training and education for employees on cybersecurity awareness, including confidential information protection and simulated phishing attacks where appropriate for the employee’s role. The Board of Directors has overall oversight responsibility for the Company’s risk management function, and primarily relies on the Audit Committee to administer this oversight. With respect to cybersecurity, the Board and Audit Committee are responsible for confirming that the Company’s management maintains appropriate cybersecurity policies and has processes in place designed to identify and evaluate cybersecurity risks to which the Company is exposed, to manage cybersecurity risks and to mitigate any cybersecurity incidents. The Vice President of Information Technology is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes for monitoring and mitigating potential cybersecurity risks, exposures, implementing appropriate mitigation measures and maintaining our cybersecurity program. The Company’s dedicated personnel, who report to the Vice President of Information Technology, are certified and experienced information systems security professionals and information security managers with many years of experience. The Vice President of Information Technology has managed this team for over five years after having progressed through various roles of increasing responsibility in both operations and technology at the Company. The Vice President of Information Technology and other members of management report to either the Board of Directors or the Audit Committee at least annually on, among other topics, updates to the Company’s cybersecurity program and mitigation strategies, developments in cybersecurity practices generally, and third-party assessments of the Company’s cybersecurity program. Management also provides general program updates and industry trends to the Board and Audit Committee on a more ad hoc basis. In 2024, the Company did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, despite our efforts, the Company cannot eliminate all risks from cybersecurity threats, or provide assurances that it has not experienced an undetected cybersecurity incident. For more information about these risks, please refer to Item 1A. Risk Factors - Risks Related to Data Privacy and Information Security in this Annual Report on Form 10-K.

Company Information