MILLERKNOLL, INC. 10-K Cybersecurity GRC - 2024-07-30

Page last updated on July 30, 2024

MILLERKNOLL, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-07-30 16:08:05 EDT.

Filings

10-K filed on 2024-07-30

MILLERKNOLL, INC. filed a 10-K at 2024-07-30 16:08:05 EDT
Accession Number: 0000066382-24-000053

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C Cybersecurity We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws. To mitigate the threat to our business, we take a comprehensive approach to cybersecurity risk management. The Company’s Board of Directors as well as its Chief Technology Officer (“CTO”) and Chief Information Security Officer (“CISO”), are actively involved in the oversight of our risk management program, of which cybersecurity represents an important component. We have established policies, standards, processes, and practices for assessing, identifying, managing and mitigating material risks from cybersecurity threats. Risk Assessment and Management We rely on a multidisciplinary team, including our information security function, legal department, management, and third-party service providers to identify, assess, remediate and manage cybersecurity threats and risks. We identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile using various methods including, for example, manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and threat actors, conducting scans of the threat environment, utilizing internal and external audits, and conducting threat and vulnerability assessments. 12 At least annually, we review our security controls and address information security vulnerabilities, conduct security testing, and assess our external sources for their security risk (e.g., security incidents, data security, security controls, third parties, etc.). The results of the assessment are used to drive alignment and prioritization of initiatives to enhance our security posture, improve security processes, and to manage a broader enterprise-level risk program that is presented to the Board of Directors, the Audit Committee, and members of management. The Company maintains various technical, physical, and organizational measures, processes, standards, and policies designed to manage and mitigate material risks from cybersecurity threats against our information systems and data. These include: - incident detection and response - vulnerability management - disaster recovery plans - internal controls within our accounting and financial reporting functions - encryption of data - network security controls - access controls - physical security - asset management - systems monitoring - vendor risk management program - employee training. Notwithstanding the approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on the Company. Refer to Item 1A for a discussion of cybersecurity risks. Governance Our Board of Directors is responsible for overseeing our enterprise risk management activities, and each of our Board committees assists the Board in the role of risk oversight. The full Board receives an update on the Company’s risk management process and the risk trends related to cybersecurity at least annually. The Audit Committee specifically assists the Board of Directors in its oversight of risks related to cybersecurity. The Audit Committee receives quarterly reports from management about emerging data privacy and cybersecurity developments and threats, the Company’s cybersecurity posture which includes a review of the state of the Company’s cybersecurity, and the Company’s strategy to mitigate data protection and cybersecurity risks. Our CISO, CTO, and General Counsel have primary responsibility for assessing and managing material cybersecurity risks and are members of management’s Information Security Council (the “Security Council”), which is a governing body that drives alignment on security decisions across the Company. The Security Council meets regularly to review and make recommendations on security policies and procedures, risk mitigation strategies, incident response and management plans and stakeholder engagement. We have an established process led by our Security Council to govern our assessment, response, and notifications internally and externally upon the occurrence of a cybersecurity incident. Depending on the nature and severity of an incident, this process provides escalation procedures to our CEO, Audit Committee, and the Board of Directors. 13

Company Information