WINNEBAGO INDUSTRIES INC 10-K Cybersecurity GRC - 2024-10-23

Page last updated on October 23, 2024

WINNEBAGO INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-23 16:28:44 EDT.

Filings

10-K filed on 2024-10-23

WINNEBAGO INDUSTRIES INC filed a 10-K at 2024-10-23 16:28:44 EDT
Accession Number: 0000107687-24-000026

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy As described in Item 1A - Risk Factors , we are subject to various cybersecurity risks that could adversely affect our business, financial condition, results of operations, and reputation. We recognize the critical importance of assessing, identifying, and managing material risks associated with cybersecurity threats, and have integrated a comprehensive cybersecurity program into our broader Enterprise Risk Management (“ERM”) framework. This integration ensures that cybersecurity considerations are an integral part of our decision-making process at every level. Our cybersecurity program includes a detailed set of policies, standards, and procedures informed by an industry-leading framework established by the National Institute of Standards and Technology (“NIST CSF”). The NIST CSF provides a model that emphasizes identification, protection, detection, response, and recovery. To identify and manage risks from third parties in relation to cybersecurity, we conduct thorough cybersecurity assessments of third party service providers and include specific cybersecurity obligations in our contracts. Additionally, we continuously monitor these providers and require prompt notification of any cybersecurity incidents to manage and monitor potential risks to our business, financial condition, results of operations, and reputation. We manage our exposure to cybersecurity risk using various methods designed to protect against, detect, and respond to cybersecurity threats. For example, we leverage threat intelligence to identify trends and inform our understanding of the cybersecurity risk landscape. In addition, our cybersecurity team, which is led by our Vice President of Information Security, performs regular assessments of our program and conducts penetration testing to identify, evaluate, and remediate potential threats and vulnerabilities. We also engage external resources to support in the design and implementation of certain program elements, and to assist us in the prevention, detection, monitoring, mitigation, and remediation of cybersecurity risks and incidents. In addition to the processes, technologies, and controls that we have in place to reduce the likelihood of material cybersecurity incidents, we maintain a documented incident response plan to manage cybersecurity events within our environment. The response plan includes procedures for identifying, containing, and responding to cybersecurity incidents. Our ability to respond to cybersecurity incidents is tested on a recurring basis. We view cybersecurity as a shared responsibility. Our employees are trained through annual security training, regular phishing simulations, and frequent communications about cybersecurity threats. Governance Our cybersecurity program is led by our Vice President of Information Security and overseen by our Chief Information Officer (“CIO”). Our Vice President of Information Security, who is responsible for assessing and managing our information technology risks, including cybersecurity, joined Winnebago Industries in July 2021 and has over 25 years of experience in heavily regulated industries such as finance and healthcare. She has held multiple roles in Information Security and IT, demonstrating expertise and versatility in navigating the threat landscape of cybersecurity. Our CIO reports to our Senior Vice President, Chief Financial Officer, a member of our senior leadership team who reports to our President and Chief Executive Officer. The Audit Committee of our Board of Directors provides oversight of our ERM program, of which cybersecurity is an integral component. Members of the Audit Committee receive updates on a quarterly basis, or more frequently as appropriate, from our CIO regarding existing and new cybersecurity risks, the effectiveness and continued maturity of our cybersecurity program, cybersecurity incidents (if any), and other relevant topics that help the committee provide effective oversight. In addition, the Board of Directors also receives an Information Security Services update on an annual basis from our Vice President of Information Security and our CIO. These updates cover a wide range of topics, including but not limited to, reviewing trends and program maturity, key metrics, current and emerging cybersecurity risks, and other cybersecurity developments. We do not believe we have experienced any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial conditions, including in Fiscal 2024. However, cyber threats continue to evolve, and there can be no assurance that the actions and controls we have implemented and are implementing will be sufficient to protect our systems, information, or other property. While we maintain cybersecurity insurance to protect against potential losses arising from security incidents, the costs related to threats or disruption may not be fully insured.

Company Information