BASSETT FURNITURE INDUSTRIES INC 10-K Cybersecurity GRC - 2025-02-10

Page last updated on February 10, 2025

BASSETT FURNITURE INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-10 09:09:49 EST.

Company Summary

Bassett Furniture is U.S.A’s leading furniture portal with stores in more than 50 cities. They also develop mobile applications to help control certain furniture.

Filings

10-K filed on 2025-02-10

BASSETT FURNITURE INDUSTRIES INC filed a 10-K at 2025-02-10 09:09:49 EST
Accession Number: 0001437749-25-003216

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company has developed a standards-based information security program to address risks from cybersecurity threats. The program includes policies and procedures that identify how security measures and controls are developed, implemented, and maintained. The maturity and effectiveness of the security program is reviewed biennially by a reputable third party. A risk assessment is conducted annually. The risk assessment along with risk-based analysis and judgment are used to select security controls to address risks. During this process, the following factors, among others, are considered: likelihood and severity of risk, impact on the Company and others if a risk materializes, feasibility and cost of controls, and impact of controls on operations and others. Specific controls that are used to some extent by the Company include endpoint threat detection and response (EDR), identity and access management (IAM), multi-factor authentication (MFA), firewalls and intrusion detection and prevention, and vulnerability and patch management. An internal information security audit program is in place to ensure controls remain operational and effective. 9 Third-party security firms are used by the Company in different capacities to provide or operate some of these controls and technology systems. Third parties are also used to conduct assessments, such as vulnerability scans and penetration testing of the Company and its systems. The Company uses a variety of processes to address cybersecurity threats related to the use of third-party technology and services. The Company has a written incident response plan (“IRP”) and conducts tabletop exercises to enhance incident response preparedness. Disaster recovery plans are used to prepare for the potential for a disruption in technology we rely on. Employees undergo security awareness training, including phishing simulation training, when hired and periodically throughout the year. The Company’s executive leadership team meets regularly to address enterprise risks, and cybersecurity is a risk category addressed by that group. In addition to assessing major risks, management identifies and monitors such risks. At least annually, the Company’s executive leadership reviews with the Board of Directors the major risks identified in the enterprise risk management process, as well as the steps identified to mitigate such risks. Each of the business and functional leaders responsible for the management of these identified risks also regularly discuss with the Board changes in assessment of these risks and mitigation plans. The Company (or third parties it relies on) may not be able to fully, continuously, and effectively implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine the security controls to implement and it is possible we may not implement appropriate controls if we do not recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate risks. And events, when detected by security tools or third parties, may not always be immediately understood or acted upon. The Company activated their incident response plan to address a security incident in 2024. The Company is not aware of additional cybersecurity threats or any material cybersecurity incidents to date that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. On July 10, 2024, we detected unauthorized occurrences on a portion of our information technology (IT) systems. Upon detecting the unauthorized occurrences, we immediately began taking steps to contain, assess and remediate the cybersecurity incident, including beginning an investigation with leading external cybersecurity specialists, activating our incident response plan, and shutting down some systems. As a result of these and other measures, we believe the threat actor was ejected from our IT systems on July 10, 2024. After we shut down some of our systems, we experienced disruption to certain of our operations, including interrupted manufacturing at our domestic plants and delayed order fulfillment for our retail network and delay of some wholesale shipments. Within a few days of the incident, we were able to resume retail order fulfillment and caught up on fulfilling wholesale orders that were delayed as a result of the cybersecurity incident. We have fully restored the IT systems and data and our investigation has not found evidence that any of our core operating systems for manufacturing, wholesale and retail order processing and fulfillment, or financial reporting were impacted. While we believe the impacts were not material to our financial condition and results of operations for the fiscal year, we estimate that between $1,000 and $2,000 of sales were lost due to the shutdown during the cybersecurity incident. During the third quarter of 2024, we also incurred legal and remediation costs related to the incident of approximately $98 which are included in selling, general and administrative expenses. In addition, cost of goods sold for year ended November 30, 2024 includes $609 for wages paid to hourly production employees during the work stoppage resulting from the cybersecurity incident. Because no inventory was produced during the temporary shutdown of our manufacturing operations, these wages were charged directly to expense. We are seeking reimbursement of certain costs, expenses and losses stemming from the cybersecurity incident and have submitted a claim to our cybersecurity insurer. We expect final resolution and payment of the claim during the first half of 2025. Additionally, in Item 1A Risk Factors under the heading of “Risks Related to Electronic Data Processing and Digital Information,” forward-looking cybersecurity threats that could have a material impact on the Company are discussed. That section of Item 1A should be read in conjunction with this Item 1C. Governance The Chief Information Officer (“CIO”) holds primary oversight responsibility for the team managing the development, operation, and maintenance of our information security program. This team also has responsibility to maintain and enhance the Company’s written cyber security incident response plan, which identifies incident severity classifications and serves as a trigger for escalation for the response team. 10 With over 25 years of experience across diverse IT technologies, the CIO brings extensive expertise to the role. The CIO is also a member of the Company’s executive leadership team, meeting regularly with the CEO, CFO, and other senior leaders. The CIO directly reports to the Board at least annually, addressing cybersecurity risks and strategy, and attends Board meetings to discuss cybersecurity matters as needed. The Audit Committee provides oversight of the information security program. The CIO reports to the Audit Committee annually on cybersecurity risks and related internal controls and attends quarterly meetings to provide updates and address any questions regarding cybersecurity and information technology systems.
Item 1C. Governance The Chief Information Officer (“CIO”) holds primary oversight responsibility for the team managing the development, operation, and maintenance of our information security program. This team also has responsibility to maintain and enhance the Company’s written cyber security incident response plan, which identifies incident severity classifications and serves as a trigger for escalation for the response team. 10 With over 25 years of experience across diverse IT technologies, the CIO brings extensive expertise to the role. The CIO is also a member of the Company’s executive leadership team, meeting regularly with the CEO, CFO, and other senior leaders. The CIO directly reports to the Board at least annually, addressing cybersecurity risks and strategy, and attends Board meetings to discuss cybersecurity matters as needed. The Audit Committee provides oversight of the information security program. The CIO reports to the Audit Committee annually on cybersecurity risks and related internal controls and attends quarterly meetings to provide updates and address any questions regarding cybersecurity and information technology systems.

Company Information