ETHAN ALLEN INTERIORS INC 10-K Cybersecurity GRC - 2024-08-23

Page last updated on August 23, 2024

ETHAN ALLEN INTERIORS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-23 16:00:46 EDT.

Filings

10-K filed on 2024-08-23

ETHAN ALLEN INTERIORS INC filed a 10-K at 2024-08-23 16:00:46 EDT
Accession Number: 0001437749-24-027664

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We have policies, procedures and processes in place to identify, assess and monitor material risks from cybersecurity threats. These plans are part of our overall enterprise risk management strategy and are part of our operating procedures, internal controls, and information systems. Cybersecurity risks include, among other things, fraud, extortion, harm to employees or customers, violation of privacy or security laws and other litigation and legal risks, and reputational risks. We have developed and implemented a cybersecurity framework intended to assess, identify and manage risks from threats to the security of our information, systems, and network using a risk-based approach. The framework is informed in part by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, although this does not imply that we meet all technical standards, specifications or requirements under the NIST. Our key cybersecurity processes include the following: ● Risk-based controls for information systems and information on our networks: We seek to maintain an information technology infrastructure that implements physical, administrative and technical controls that are calibrated based on risk and designed to protect the confidentiality, integrity and availability of our information systems and information stored on our networks, including customer and employee information. ● Cybersecurity incident response plan and testing: We have a cybersecurity incident response plan and dedicated teams to respond to cybersecurity incidents. When a cybersecurity incident occurs or we identify a vulnerability, we have cross-functional teams that are responsible for leading the initial assessment of priority and severity, and external experts may also be engaged as appropriate. Our cybersecurity teams assist in responding to incidents depending on severity levels and seek to improve our cybersecurity incident management plan through periodic tabletops or simulations. Our Vice President of Information Technology and other members of his team oversee the implementation of this plan and are made aware of ongoing risks and incidents. ● Training: We provide security awareness training to our employees so they may better understand their information protection and cybersecurity responsibilities. We also provide additional training to certain employees based on their roles. ● Supplier risk assessments: Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply-chain or who have access to our customer and employee data on our systems. Third-party risks are included within our enterprise risk management assessment program, as well as our cybersecurity-specific risk identification program. These considerations affect the selection and access to our systems, data, or facilities. We also seek contractual commitments from key suppliers to appropriately secure and maintain their information technology systems and protect our information that is processed on their systems. ● Third-party assessments: We have engaged third-party vendors to periodically assess our cybersecurity posture, to assist in identifying and remediating risks from cybersecurity threats. We also regularly engage with consultants, auditors, and other third-parties to help identify areas for continued focus, improvement and compliance. 18 ETHAN ALLEN INTERIORS INC. AND SUBSIDIARIES While the Company has experienced cybersecurity incidents, we are not aware of any cybersecurity incidents to date, including as a result of any previous cybersecurity incidents, that has materially affected or is reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, the sophistication of and risks from cybersecurity threats and incidents continue to increase and the preventative actions we have taken and continue to take to reduce these risks and protect our systems and information may not successfully protect against all cybersecurity threats and incidents in the future. For more information, see Item 1A. Risk Factors under the heading of “Technology and Data Security Risks”, of this Annual Report on Form 10-K. Cybersecurity Governance The Company’s Board of Directors (the “Board”), as a whole, has oversight responsibility for our strategic and operational risks. The Board regularly reviews and discusses with management the strategies, processes and controls pertaining to the management of our information technology operations, including updates on the internal and external cybersecurity threat landscape, incident response, assessment and training activities, and relevant legislative, regulatory, and technical developments. Our Vice President of Information Technology presents, at least annually, to the Board, an overview of our cybersecurity threat risk management and strategy as well as provides reports regarding the evolving cybersecurity landscape, including emerging risk. Our Vice President of Information Technology and other members of his team remain informed about cybersecurity threats through the reporting framework as described above under Cybersecurity Risk Management and Security - Cybersecurity incident response plan and testing. The Information Technology team is responsible for the day-to-day assessment and management of cybersecurity risks. Our cybersecurity risk management and strategy are led by our Vice President of Information Technology, and our Manager of Security. Such individuals have over 50 years of work experience, collectively, in various roles managing information security, developing cybersecurity strategy, and implementing effective information and cybersecurity programs.

Company Information