FLEXSTEEL INDUSTRIES INC 10-K Cybersecurity GRC - 2024-08-30

Page last updated on August 30, 2024

FLEXSTEEL INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-30 16:45:36 EDT.

Filings

10-K filed on 2024-08-30

FLEXSTEEL INDUSTRIES INC filed a 10-K at 2024-08-30 16:45:36 EDT
Accession Number: 0000950170-24-102402

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company’s cybersecurity risk management program is integrated into the overall risk management framework, including risk identification, assessment, and mitigation across all areas of the business. The cybersecurity risk management program is designed to align with industry best practices and has adopted the framework and measurement practices developed by the National Institute of Standards and Technology (NIST). In addition, the Company has implemented a cross-functional cybersecurity steering team to facilitate coordination across key departments and assists in defining policies, procedures, and mitigation strategies, and will be called on to assist in risk assessment of any threat or incident. The Company has a written Emergency Action Plan that includes the handling of material cybersecurity incidents and business continuity if there is a disruption in operations. The Company utilizes a third-party cybersecurity partner to assist in monitoring our systems 24 hours a day, and to structure the technical handling of cybersecurity threats and incidents. In addition, the partner is utilized to regularly conduct formal penetration testing and tabletop exercises used to further prepare the organization. This partner also provides ongoing insights and advisory services in order to better align our program with current best practices. The Company uses a variety of processes to address risk associated with the use of third-party service providers. All employees, including anyone with access to Company-provided email accounts, must engage in quarterly cybersecurity awareness training and are tested internally on a regular basis. Additionally, we maintain cyber insurance coverage, including protection to further mitigate potential financial losses from cybersecurity incidents. As of the date of this Annual Report on Form 10-K we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business, results of operations or financial condition. However, despite our best efforts, we cannot eliminate all risks from cybersecurity threats or provide assurances that we have not experienced undetected cybersecurity incidents. See “Risk Factors” in Item 1A in this Annual Report on Form 10-K for further discussion. Governance The Board of Directors is responsible for the oversight of our cybersecurity risk management program. On a quarterly basis, our Chief Information Officer (CIO) provides a cybersecurity status report and update to the Board of Directors, which includes a scorecard of cybersecurity threats, updates on key initiatives, and any changes in trends that may impact the Company. The CIO reports directly to the President and Chief Executive Officer (CEO) and meets regularly with him, the Chief Financial Officer, and other members of the Executive Leadership Team. The CIO has over 25 years of experience in IT Operations and is supported by an internal Director of IT Security and a virtual Chief Information Security Officer (vCISO) service to ensure comprehensive focus on the program. The Emergency Action Plan defines the handling of cyber related incidents with support of the cross-functional steering team to assess the potential materiality of cybersecurity events and to report on the detection, analysis, and containment from such events. As the severity of events meet certain levels as specified by the Incident Response Plan, those events are escalated to senior levels of management and reported to the Board of Directors. Our Board of Directors is responsible for the oversight of controls and procedures related to the public disclosure of material cybersecurity incidents.

Company Information