ITRON, INC. 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

ITRON, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 13:12:30 EST.

Filings

10-K filed on 2025-02-25

ITRON, INC. filed a 10-K at 2025-02-25 13:12:30 EST
Accession Number: 0000780571-25-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C: Cybersecurity In order to address cybersecurity risks and threats, we have in place teams, processes, and programs for protecting company and customer information . We have an Information Security Steering Committee (ISSC), whose purpose is to oversee the overall information security program as well as product security and data protection . The ISSC consists of senior executives, including our CEO and CFO. The ISSC meets quarterly to discuss strategy and general updates and is advised by company personnel with expertise and experience in cybersecurity risk management. We have a risk management process utilizing a Governance, Risk, and Compliance system. Our security program uses a “defense in depth” philosophy, meaning that multiple controls must be breached for an attack to be successful. We maintain a series of both protective and detective controls to enable breakdown or bypass of protection mechanisms to be detected and escalated for response. We perform logging and monitoring across systems, directed to a centralized, secure logging system operated by the Information Security team. Significant events are assessed systematically on a case-by-case basis for their potential impact and whether they could potentially become material. We maintain a cybersecurity incident policy, which provides guidelines for informing our Board of Directors (the Board) of material cybersecurity incidents and events, including potential ransomware payments. We also hold insurance with the intent to cover cybersecurity incidents. In the event of a significant cybersecurity or data privacy incident, the ISSC members are notified and updated on the status of the incident by an Incident Response Team (IRT). The IRT utilizes a process to evaluate the potential materiality of an incident. This process guides the IRT to provide information to executive leadership for materiality determination. To address risk related to third-party service providers , we have multiple processes in place to safeguard company and customer information. Upon obtaining a new vendor, we complete a risk assessment that is reviewed at least every three years. We maintain a Supplier Code of Conduct that outlines vendor expectations in areas including network security, data protection, and security breach notifications. In the case where a contract with a vendor relates to our service to customers, the contractual terms for certain cybersecurity parameters are passed down to the vendor. We hold certifications to meet the requirements of our customers and regulators, such as ISO 27001, IEC62443, and others. In addition, Itron maintains SOC 1 and SOC 2 attestations for the majority of our customer-facing managed services businesses. Through third-party incident response experts, we conduct incident response tabletop exercises each year with both the technical teams and ISSC designed to improve our systems and processes, and we have included our Board in a similar exercise. The Board provides oversight for cybersecurity within the Company and includes one director with cybersecurity expertise. Executive management reports on the status of the ISSC to the Board on a regular basis . At each Board meeting, a summary is provided covering the periodic assessment of Itron’s Information Security Program. Semiannually, the Director of Information Security presents to the Board about the status of Itron’s overall security program, internal response preparedness, and assessments of risks. At each Board meeting, information regarding the current maturity level of the program, as measured against the National Institutes of Standards and Technology Cybersecurity Framework, is presented . Due to the nature of our business, a material security incident could have a significant impact on both our brand reputation and our ability to deliver services to our clients. As of the date of this report, we do not believe any risks from cybersecurity incidents have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. There can be no guarantee that the actions and controls we and our third-party service providers have implemented and are implementing will be sufficient to protect our systems, information or other property. For a description of the risks from cybersecurity threats that may materially affect us, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report.

Company Information