XML 47 R31.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
In order to address cybersecurity risks and threats, we have in place teams, processes, and programs for protecting company and customer information. We have an Information Security Steering Committee (ISSC), whose purpose is to oversee the overall information security program as well as product security and data protection. The ISSC consists of senior executives, including our CEO and CFO. The ISSC meets quarterly to discuss strategy and general updates and is advised by company personnel with expertise and experience in cybersecurity risk management.

We have a risk management process utilizing a Governance, Risk, and Compliance system. Our security program uses a "defense in depth" philosophy, meaning that multiple controls must be breached for an attack to be successful. We maintain a series of both protective and detective controls to enable breakdown or bypass of protection mechanisms to be detected and escalated for response. We perform logging and monitoring across systems, directed to a centralized, secure logging system operated by the Information Security team. Significant events are assessed systematically on a case-by-case basis for their potential impact and whether they could potentially become material.

We maintain a cybersecurity incident policy, which provides guidelines for informing our Board of Directors (the Board) of material cybersecurity incidents and events, including potential ransomware payments. We also hold insurance with the intent to cover cybersecurity incidents. In the event of a significant cybersecurity or data privacy incident, the ISSC members are notified and updated on the status of the incident by an Incident Response Team (IRT). The IRT utilizes a process to evaluate the potential materiality of an incident. This process guides the IRT to provide information to executive leadership for materiality determination.

To address risk related to third-party service providers, we have multiple processes in place to safeguard company and customer information. Upon obtaining a new vendor, we complete a risk assessment that is reviewed at least every three years. We maintain a Supplier Code of Conduct that outlines vendor expectations in areas including network security, data protection, and security breach notifications. In the case where a contract with a vendor relates to our service to customers, the contractual terms for certain cybersecurity parameters are passed down to the vendor. We hold certifications to meet the requirements of
our customers and regulators, such as ISO 27001, IEC62443, and others. In addition, Itron maintains SOC 1 and SOC 2 attestations for the majority of our customer-facing managed services businesses.

Through third-party incident response experts, we conduct incident response tabletop exercises each year with both the technical teams and ISSC designed to improve our systems and processes, and we have included our Board in a similar exercise.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
In order to address cybersecurity risks and threats, we have in place teams, processes, and programs for protecting company and customer information. We have an Information Security Steering Committee (ISSC), whose purpose is to oversee the overall information security program as well as product security and data protection. The ISSC consists of senior executives, including our CEO and CFO. The ISSC meets quarterly to discuss strategy and general updates and is advised by company personnel with expertise and experience in cybersecurity risk management.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] The Board provides oversight for cybersecurity within the Company and includes one director with cybersecurity expertise. Executive management reports on the status of the ISSC to the Board on a regular basis. At each Board meeting, a summary is provided covering the periodic assessment of Itron's Information Security Program. Semiannually, the Director of Information Security presents to the Board about the status of Itron's overall security program, internal response preparedness, and assessments of risks. At each Board meeting, information regarding the current maturity level of the program, as measured against the National Institutes of Standards and Technology Cybersecurity Framework, is presented. Due to the nature of our business, a material security incident could have a significant impact on both our brand reputation and our ability to deliver services to our clients.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] We have an Information Security Steering Committee (ISSC), whose purpose is to oversee the overall information security program as well as product security and data protectionThe Board provides oversight for cybersecurity within the Company and includes one director with cybersecurity expertise. Executive management reports on the status of the ISSC to the Board on a regular basis
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] At each Board meeting, a summary is provided covering the periodic assessment of Itron's Information Security Program. Semiannually, the Director of Information Security presents to the Board about the status of Itron's overall security program, internal response preparedness, and assessments of risks. At each Board meeting, information regarding the current maturity level of the program, as measured against the National Institutes of Standards and Technology Cybersecurity Framework, is presented
Cybersecurity Risk Role of Management [Text Block]
In order to address cybersecurity risks and threats, we have in place teams, processes, and programs for protecting company and customer information. We have an Information Security Steering Committee (ISSC), whose purpose is to oversee the overall information security program as well as product security and data protection. The ISSC consists of senior executives, including our CEO and CFO. The ISSC meets quarterly to discuss strategy and general updates and is advised by company personnel with expertise and experience in cybersecurity risk management.

We have a risk management process utilizing a Governance, Risk, and Compliance system. Our security program uses a "defense in depth" philosophy, meaning that multiple controls must be breached for an attack to be successful. We maintain a series of both protective and detective controls to enable breakdown or bypass of protection mechanisms to be detected and escalated for response. We perform logging and monitoring across systems, directed to a centralized, secure logging system operated by the Information Security team. Significant events are assessed systematically on a case-by-case basis for their potential impact and whether they could potentially become material.

We maintain a cybersecurity incident policy, which provides guidelines for informing our Board of Directors (the Board) of material cybersecurity incidents and events, including potential ransomware payments. We also hold insurance with the intent to cover cybersecurity incidents. In the event of a significant cybersecurity or data privacy incident, the ISSC members are notified and updated on the status of the incident by an Incident Response Team (IRT). The IRT utilizes a process to evaluate the potential materiality of an incident. This process guides the IRT to provide information to executive leadership for materiality determination.

To address risk related to third-party service providers, we have multiple processes in place to safeguard company and customer information. Upon obtaining a new vendor, we complete a risk assessment that is reviewed at least every three years. We maintain a Supplier Code of Conduct that outlines vendor expectations in areas including network security, data protection, and security breach notifications. In the case where a contract with a vendor relates to our service to customers, the contractual terms for certain cybersecurity parameters are passed down to the vendor. We hold certifications to meet the requirements of
our customers and regulators, such as ISO 27001, IEC62443, and others. In addition, Itron maintains SOC 1 and SOC 2 attestations for the majority of our customer-facing managed services businesses.

Through third-party incident response experts, we conduct incident response tabletop exercises each year with both the technical teams and ISSC designed to improve our systems and processes, and we have included our Board in a similar exercise.
The Board provides oversight for cybersecurity within the Company and includes one director with cybersecurity expertise. Executive management reports on the status of the ISSC to the Board on a regular basis. At each Board meeting, a summary is provided covering the periodic assessment of Itron's Information Security Program. Semiannually, the Director of Information Security presents to the Board about the status of Itron's overall security program, internal response preparedness, and assessments of risks. At each Board meeting, information regarding the current maturity level of the program, as measured against the National Institutes of Standards and Technology Cybersecurity Framework, is presented. Due to the nature of our business, a material security incident could have a significant impact on both our brand reputation and our ability to deliver services to our clients.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The Board provides oversight for cybersecurity within the Company and includes one director with cybersecurity expertise. Executive management reports on the status of the ISSC to the Board on a regular basis
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The ISSC consists of senior executives, including our CEO and CFO. The ISSC meets quarterly to discuss strategy and general updates and is advised by company personnel with expertise and experience in cybersecurity risk management.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Executive management reports on the status of the ISSC to the Board on a regular basis. At each Board meeting, a summary is provided covering the periodic assessment of Itron's Information Security Program. Semiannually, the Director of Information Security presents to the Board about the status of Itron's overall security program, internal response preparedness, and assessments of risks. At each Board meeting, information regarding the current maturity level of the program, as measured against the National Institutes of Standards and Technology Cybersecurity Framework, is presented
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true