Xylem Inc. 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 3, 2025

Xylem Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 12:01:51 EST.

Filings

10-K filed on 2025-03-03

Xylem Inc. filed a 10-K at 2025-03-03 12:01:51 EST
Accession Number: 0001524472-25-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBER SECURITY. Cybersecurity Risk Management and Strategy Cybersecurity risk management is integrated into our Enterprise Risk Management (“ERM”) Program, which is our approach to identifying, assessing, prioritizing and mitigating risks to the Company, with mitigation efforts focused on the highest risks. Our ERM Program assesses risks, including those related to cybersecurity, annually, and monitors such risks on an ongoing basis. We maintain a comprehensive cybersecurity program that encompasses our enterprise information technology, including operational technology and technology of third parties on which we rely, and connected products and services. Our enterprise cybersecurity program is guided by the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework. Key areas of responsibility in the program include governance, risk and compliance, threat analysis and response, security architecture and engineering, security operations and secure manufacturing operations. Our connected products and services cybersecurity program is guided by the ISA/IEC 62443 standard. Key areas of responsibility include product security, software development, innovation management, threat analysis and incident response. Both the enterprise and connected products and services programs are designed to assess, identify and manage risks from cybersecurity threats in order to protect and preserve the security, resiliency, integrity and continued availability of the Company’s information technology systems and connected products and services, and also to protect the confidentiality and integrity of information owned by, or in the custody and care of, the Company. Elements of the programs include policies, standards, architecture, processes, tools, technology, employee education and training, and incident response. Our enterprise and product security programs undergo regular testing, including periodic vulnerability scanning and penetration testing. In addition, we also periodically engage third parties to assess our enterprise and product security programs and provide consultation and advice to assist with assessing, identifying and managing cybersecurity risks. We maintain cybersecurity policies that apply to all employees, businesses and functions, as well as third-party vendors and contractors as required by our legal agreements with them. These policies specify roles and responsibilities, fundamental principles and proper controls required for Xylem’s protection, and also require the use of certain cyber risk management processes to onboard new suppliers and other third parties. We periodically review our policies to identify potential gaps or areas for improvement, considering changes in the Company, and its connected products and services, as appropriate. Our Cybersecurity Incident Response Plan (“IRP”), which generally aligns with NIST’s guidance, provides management with a standardized framework for responding to an actual or potential cybersecurity threat or incident. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. The IRP also specifies the use of third-party experts for legal advice, consulting and incident response, as appropriate. The IRP undergoes at least annual tabletop exercises, the results of which are used to identify areas for improvement in our processes and technologies. We have protocols and processes by which certain cybersecurity incidents, as specified by our IRP, are escalated within the Company and, as appropriate, to the Audit Committee of the Board of Directors. Employees receive annual and ongoing education and training regarding relevant cybersecurity risks and practices, including how to protect information and systems from cyber threats. We also conduct monthly phishing simulations to increase employees’ ability to detect and prevent such threats. The Company maintains insurance as part of its cybersecurity risk mitigation strategy to provide protection against certain potential losses arising from certain cybersecurity incidents. Cybersecurity Governance In line with its broader strategic oversight, the Board oversees cybersecurity, including strategy and processes. To assist with oversight of cybersecurity, the Board has delegated to its Audit Committee responsibility to oversee certain aspects of cybersecurity, including controls and reporting. At least semi-annually, the Audit Committee or full Board receive reports from the Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”). Reports include topics such as updates on the Company’s cybersecurity risk profile, assessments of the Company’s enterprise and product security programs, management’s strategy for managing risks, measures implemented to identify and mitigate cybersecurity risks, the status of projects to strengthen the Company’s cybersecurity posture, the emerging cybersecurity threat landscape and other relevant topics. The Board also receives a report from management on the results of the Company’s annual ERM Program risk assessment, as well periodic updates on the ERM Program and ongoing monitoring of the Company’s risks, including cybersecurity risk, as appropriate. 29 The Company’s Cyber Risk Committee (“CRC”), comprised of a cross-functional group of senior executives, provides advice and governance regarding the Company’s strategic management of cybersecurity across the Company, including cybersecurity risk posture, projects, issues, threat intelligence and escalations. At its periodic meetings, the CRC receives reports and presentations from the CISO or third parties on internal and external cybersecurity matters, and, as appropriate, briefings from the CISO on cybersecurity incidents, the Company’s incident response, recovery and remediation and actual or potential impacts. Our CISO , who has extensive cybersecurity knowledge and skills gained from over 25 years of relevant work experience, and is a Certified Information Systems Security Professional, is responsible for assessing, monitoring and advising the Company’s various business units, management and the Board on risks from cybersecurity threats; implementing cybersecurity strategy, programs and processes across our enterprise and connected products and services; reviewing the risk management measures implemented by the Company to identify and mitigate cybersecurity risks; and overseeing the maintenance and deployment of the Cybersecurity Incident Response Plan. The CISO leads the Company’s Cybersecurity Team (“Team”), comprised of individuals with a broad range of cybersecurity skills, experiences and certifications. The Team is responsible for the implementation, monitoring and maintenance of the Company’s cybersecurity practices in coordination with its businesses, operations and functions, and oversees the Company’s cybersecurity program. Material Cybersecurity Risks, Threats & Incidents Although we have experienced actual and attempted cybersecurity threats and incidents in the past, we do not believe that the risks from any of these events or incidents, individually or in the aggregate, have materially affected our business, operations or financial condition, or are reasonably likely to have such an effect. However, due to evolving cybersecurity threats, it has and will continue to be difficult to prevent, detect, mitigate, and remediate cybersecurity incidents. For a more detailed discussion of the risks we face see the discussion set forth under “Item 1A. Risk Factors” in this Report. 30

Company Information