Our Board of Directors, as a whole and through its committees, has responsibility for the oversight of risk management, while our management is responsible for the day-to-day management of the material risks facing the Company. The Board has chosen to retain overall responsibility for risk assessment and oversight at the Board level in light of the interrelated nature of the elements of risk, rather than delegating this responsibility to a Board committee. The Board is also responsible for oversight of Eaton’s Enterprise Risk Management program (“ERM”), which identifies, assesses and mitigates our top risks. As part of our ERM program, we seek input from our businesses, regions and corporate functions and regularly update the Board on such risks.

Eaton operates a mature, comprehensive cybersecurity program that is a core component of the information technology function.  The program relies on people, processes, and technology to function, understanding that technology alone is not the answer to fully address cyber-risk.  We use a standard framework, NIST CSF, to measure ourselves, identify areas of improvement, and guide future investment.  Our processes span all of Eaton’s business units and functions with engagement models that spans all of Eaton’s workforce.  We conduct an annual assessment on the maturity of our cybersecurity against NIST CSF standards.

Every business unit, region and corporate function participates in our annual enterprise-wide risk assessment.  Results are reviewed by the senior leadership committee.  The business units establish coordinated mitigation plans, monitor progress and report to leadership.  Eaton employs an IT Cybersecurity Dashboard to identify and manage the threat landscape.  The dashboard identifies top risk scenarios based on their likelihood, impact or both, as well as the relevant cybersecurity initiatives used to prevent such scenarios.

The Board of Directors is briefed by company executives and other senior leadership on information security matters at each standing Audit Committee meeting.  Audit Committee meetings generally occur at least four times per year. In addition, the Board is briefed about risks as part of the Board’s oversight of the company’s enterprise risk management program. All of our directors have extensive risk management experience, and ten of our directors have cybersecurity experience.

There were no identified material breaches of the organization’s technology environment during the years 2021-2024 despite an increase in attempted cyberattacks during the COVID-19 pandemic.  The organization’s exposure to cybersecurity-related risk events is expected to increase further primarily due to the general rising threat of ransomware and Eaton’s digital transformation.

Information security continues to be a top priority in the performance of our operations.  As such, we have extended our insurance plan to provide coverage of information security and cyber risks.  Additionally, Eaton is evaluated for maturity and compliance by third parties annually using frameworks like NIST CSF and NIST 800-171 as well as Eaton’s internal audit function.  The evaluations cover all aspects of the information technology function.

The protection of our information assets is the responsibility of our directors, officers, employees, and any other person having access to these information assets.  Embedded in our Code of Ethics is the duty to protect assets and information.  We regularly train employees on our Code of Ethics, and employees are required to complete an annual information security online refresher training. 

June 1, 2024