THOR INDUSTRIES INC 10-K Cybersecurity GRC - 2024-09-24

Page last updated on September 24, 2024

THOR INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-24 06:32:35 EDT.

Filings

10-K filed on 2024-09-24

THOR INDUSTRIES INC filed a 10-K at 2024-09-24 06:32:35 EDT
Accession Number: 0000730263-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY RISK MANAGEMENT, STRATEGY AND GOVERNANCE Risk Management and Strategy While cybersecurity risk can never be eliminated entirely, we devote significant resources to our cybersecurity program that we believe is reasonably designed to mitigate our cybersecurity and information technology (“IT”) risks-which include, among others, unauthorized access to and misappropriation of our information, corruption of data, intentional or unintentional disclosure of confidential information, or disruption of operations. Cybersecurity risk management processes have been integrated into the Company’s overall risk management system, including our ERM process. Threats to our cyber/digital landscape are regularly identified and then assessed in terms of their potential business impact. Mitigation strategies are developed based on our assessment of the potential business impact (both quantitatively and reputationally) of the threat. Because a cybersecurity threat can have implications beyond IT, the Company draws on cross-functional expertise to determine the potential business impact and proportional mitigation efforts or solutions. This expertise may involve third-party resources with functional expertise related to the specific threat or business impact. As part of our risk management profile, we regularly review available cybersecurity data regarding our business partners (suppliers, dealers, third-party service providers and others) and regularly engage with them on risk mitigation efforts. Internally, among other things, we perform penetration tests, internal tests/code reviews, and simulations using cybersecurity professionals to assess vulnerabilities in our information systems and evaluate our cyber defense capabilities. We also perform phishing and social engineering simulations with, and provide cybersecurity training for, personnel with Company e-mail and access to Company assets. When a cybersecurity incident is detected, our response is governed by our IT Security Incident Response Policy, providing a rigorous, standardized process to ensure efficacy of the response. In general, when a cybersecurity incident is identified, our policy requires an initial review and triage of the incident. When a cybersecurity incident is determined to be significant, it is brought to the attention of a cross-functional leadership team consisting of our Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Chief Human Resources Officer and General Counsel and is addressed by that team, along with other internal stakeholders, using processes that leverage subject-matter expertise from across the Company. As with risk mitigation, we may engage third-party advisors, from time to time, as part of our incident response and management process. As part of our risk mitigation efforts, we also maintain cybersecurity insurance to defray the costs of potential information security breaches. In fiscal 2024, THOR did not identify any material cybersecurity threats, including as a result of any previous cybersecurity incident, that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, despite the capabilities, processes, and other security measures we employ that we believe are designed to detect, reduce, and mitigate the risk of cybersecurity incidents, we may not be aware of all vulnerabilities or may not accurately assess the risks of incidents, and such preventive measures cannot provide absolute security and may not be sufficient in all circumstances or mitigate all potential risks. Moreover, we, our suppliers and our dealers have been the target of cybersecurity incidents in the past and may be subject to such incidents in the future. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks. Governance The Company’s Audit Committee of our Board of Directors is charged with specific responsibility for overseeing risks from cybersecurity threats. Our Data Protection Officer provides the Audit Committee with quarterly reports on cybersecurity risks and any material cybersecurity incidents. In addition, our Data Protection Officer provides semi-annual reports directly to our Board of Directors. These regular updates include topics related to cybersecurity practices, cyber risks and risk management processes, such as updates to our cybersecurity programs and mitigation strategies, and other cybersecurity developments. Reporting directly to our Chief Operating Officer, our Data Protection Officer has primary day-to-day responsibility for our overall cybersecurity risk management program and oversees both our internal cybersecurity personnel and our retained external cybersecurity consultants. With close to 25 years of experience in the fields of cybersecurity and data protection, our Data Protection Officer joined the Company in 2019. 25

Company Information