PENTAIR plc 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

PENTAIR plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 16:39:46 EST.

Filings

10-K filed on 2025-02-25

PENTAIR plc filed a 10-K at 2025-02-25 16:39:46 EST
Accession Number: 0000077360-25-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our management and Board of Directors (the “Board”) recognize the importance of maintaining the security and resiliency of our cybersecurity environment to deliver on the expectations of our customers, dealers, business partners, employees and investors. The Board oversees our risk management practices, including our overall enterprise risk management (“ERM”) program, in which cybersecurity risk is included. Our cybersecurity program is aligned with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and leverages the International Organization for Standardization and other applicable industry standards. Overall, the purpose of our information security program is to protect the confidentiality, integrity and availability of our systems and data, along with the safe operation of our connected products. This is supported by our security operating framework, roadmap and governance. Cybersecurity Risk Management and Strategy Our cybersecurity program is focused on the following areas: Security governance We have established processes aimed to assess, identify and manage material risks from cybersecurity threats. Our ERM organizational process includes annual risk assessments. Our cybersecurity team, which is led by our Chief Information Officer and Chief Information Security Officer (the “CIO/CISO”), is responsible for identifying, assessing and managing strategic and operational cybersecurity risks. Our cybersecurity team shares information regarding such risks with our Security Steering Committee , which consists of our General Counsel, Chief Financial Officer, CIO/CISO, and members of our IT, Legal and ERM functions. Both our Security Steering Committee and our ERM function support the Board’s oversight of cybersecurity risk. Technical safeguards We deploy technical safeguards designed to protect our systems from cybersecurity threats, including firewalls, anti-malware software, and authentication and authorization controls. Ongoing enhancements are integrated into our security roadmap, as informed by our security audits and assessments. 18 Security and privacy incident response We maintain an incident response plan to identify, protect, detect, respond to and recover from cybersecurity threats and incidents. We test and evaluate our plans on a regular basis. The CIO/CISO, the Security Steering Committee, our Chief Executive Officer and the Board are notified of any material cybersecurity incidents through an established escalation process. Third-party risk management We maintain a risk-based third-party risk management process designed to identify, assess and manage risks presented by service providers, vendors and other third parties that access our systems or that process or store our data. Security awareness and training We provide ongoing security awareness and training to educate internal users on how to identify and report potential issues. Professional-level employees receive mandatory cybersecurity education and training. Employee phishing tests are conducted on a regular basis. Employees who do not follow protocol are redirected for additional training. We also provide periodic updates to employees on emerging cybersecurity trends and ways to protect themselves and our company. Security audits and assessments We perform periodic security audits and assessments to test our cybersecurity program. These efforts span across our cybersecurity program, including but not limited to audits, assessments, tabletop exercises, vulnerability scanning and penetration tests. We regularly engage third parties to assess our cybersecurity program, including cybersecurity maturity assessments, penetration testing, and independent review of our security control environment and operating effectiveness. The results of the assessments are included for review by the Security Steering Committee and the Audit and Finance Committee of the Board. We look to enhance our cybersecurity program with the results of the audits, assessments and reviews we perform. Governance The Board is responsible for general oversight of our risk management, including cybersecurity risk. The Audit and Finance Committee of the Board is responsible for overseeing our risk exposure to information security, cybersecurity and data protection, as well as the steps management has taken to monitor and control such exposures. We conduct cybersecurity audits and assessments on a regular basis and either our CIO/CISO or Chief Financial Officer report to the Audit and Finance Committee on a quarterly basis. Our cybersecurity team, which is responsible for assessing and managing our risks from cybersecurity threats, is led by the CIO/CISO , who reports to our Chief Financial Officer. The Security Steering Committee provides additional oversight for assessing and managing cybersecurity risk. The CIO/CISO has over 20 years of cybersecurity and technology experience and has previously held Chief Information Security Officer positions at a large public retail company, as well as at a public technology company and services organization. The CIO/CISO has an undergraduate degree in Management Information Systems. Members of our cybersecurity team have broad experience in security functions in various industries. Our Chief Executive Officer, Chief Financial Officer and General Counsel each hold degrees in their respective fields, and each have over 25 years of experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats. Impact of Cybersecurity Threats Previous cybersecurity incidents have not materially affected us, including our business strategy, results of operations or financial condition. However, risks from cybersecurity threats, including but not limited to exploitation of vulnerabilities, ransomware, denial of service, supply chain attacks, or other similar threats may materially affect us, including our execution of business strategy, reputation, results of operations and/or financial condition. See ITEM 1A. “Risk Factors - Increased cybersecurity threats and computer crime pose a risk to our systems, networks, products and services, and we are exposed to potential regulatory, financial and reputational risks relating to the protection of our data” for a discussion of cybersecurity risks. 19

Company Information