LA-Z-BOY INC 10-K Cybersecurity GRC - 2024-06-17

Page last updated on July 16, 2024

LA-Z-BOY INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-17 16:42:02 EDT.

Filings

10-K filed on 2024-06-17

LA-Z-BOY INC filed a 10-K at 2024-06-17 16:42:02 EDT
Accession Number: 0000057131-24-000028

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Risk Management and Strategy The Company has developed an information security program to address risks from cybersecurity threats. The program includes policies and procedures that identify how security measures and controls are developed, implemented, and maintained. A risk assessment is conducted annually. The risk assessment along with risk-based analysis and judgment are used to select security controls to address risks. During this process, the following factors, among others, are considered: likelihood and severity of risk, impact on the Company and others if a risk materializes, feasibility and cost of controls, and impact of controls on operations and others. Specific controls that are used to some extent by the Company include endpoint threat detection and response (EDR), identity and access management (IAM), privileged access management (PAM), logging and monitoring involving the use of security information and event management (SIEM), multi-factor authentication (MFA), firewalls and intrusion detection and prevention, and vulnerability and patch management. Third-party security firms are used by the Company in different capacities to provide or operate some of these controls and technology systems. Third parties are also used to conduct assessments, such as vulnerability scans and penetration testing of the Company and its systems. The Company uses a variety of processes to address cybersecurity threats related to the use of third-party technology and services. The Company has a written incident response plan (“IRP”) and conducts tabletop exercises to enhance incident response preparedness. Business continuity and disaster recovery plans are used to prepare for the potential for a disruption in technology we rely on. The Company is a member of an industry cybersecurity intelligence and risk sharing organization. Certain employees, including those with access to Company-provided e-mail accounts, undergo security awareness training when hired and annually. The Company has an enterprise risk management committee comprised of key business and functional leaders to address enterprise risks, and cybersecurity is a risk category addressed by that group. In addition to assessing major risks, management identifies and monitors such risks. At least annually, the Company’s executive leadership reviews with the Board of Directors the major risks identified in the enterprise risk management process, as well as the steps identified to mitigate such risks. Each of the business and functional leaders responsible for the management of these identified risks also regularly discuss with the Board changes in assessment of these risks and mitigation plans. The Company (or third parties it relies on) may not be able to fully, continuously, and effectively implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine the security controls to implement and it is possible we may not implement appropriate controls if we do not recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate risks. And events, when detected by security tools or third parties, may not always be immediately understood or acted upon. The Company is not aware of any cybersecurity threat or any material cybersecurity incident to date, including as a result of any previous cybersecurity incidents, that has materially affected or is reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Additionally, in Item 1A Risk Factors under the heading of “Operational Risk Factors,” forward-looking cybersecurity threats that could have a material impact on the Company are discussed. Those sections of Item 1A should be read in conjunction with this Item 1C. Governance The Chief Information Officer (“CIO”) is the management position with primary oversight responsibility for the team responsible for the development, operation, and maintenance of our information security program. Pursuant to the Company’s written IRP, the CIO is a member of the executive incident response team and severity classifications in the IRP are used to escalate matters to the executive incident response team. The CIO has more than 20 years of comprehensive IT experience across a breadth of technologies. The CIO is also a member of the Company’s executive leadership team and meets regularly with the CEO, CFO and other members of the executive leadership team . The CIO reports directly to the Board, at least twice a year, on cybersecurity risks and strategy and attends Board meetings to be available to discuss cybersecurity matters with the Board. Oversight of the information security program at the Board level sits with the Audit Committee. The CIO reports to the Audit Committee on risks and internal controls related to cybersecurity and information technology and systems at least annually and attends quarterly Committee meetings to be available to discuss such matters with the Audit Committee.
Item 1C. Governance The Chief Information Officer (“CIO”) is the management position with primary oversight responsibility for the team responsible for the development, operation, and maintenance of our information security program. Pursuant to the Company’s written IRP, the CIO is a member of the executive incident response team and severity classifications in the IRP are used to escalate matters to the executive incident response team. The CIO has more than 20 years of comprehensive IT experience across a breadth of technologies. The CIO is also a member of the Company’s executive leadership team and meets regularly with the CEO, CFO and other members of the executive leadership team . The CIO reports directly to the Board, at least twice a year, on cybersecurity risks and strategy and attends Board meetings to be available to discuss cybersecurity matters with the Board. Oversight of the information security program at the Board level sits with the Audit Committee. The CIO reports to the Audit Committee on risks and internal controls related to cybersecurity and information technology and systems at least annually and attends quarterly Committee meetings to be available to discuss such matters with the Audit Committee.

Company Information