LENNOX INTERNATIONAL INC 10-K Cybersecurity GRC - 2025-02-11

Page last updated on February 11, 2025

LENNOX INTERNATIONAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-11 15:23:19 EST.

Filings

10-K filed on 2025-02-11

LENNOX INTERNATIONAL INC filed a 10-K at 2025-02-11 15:23:19 EST
Accession Number: 0001628280-25-004859

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We manage cybersecurity risk through three core teams: cybersecurity engineering, data privacy, and a security operation center. These teams are responsible for overseeing data safety during new system and infrastructure deployments, maintaining appropriate cybersecurity controls, and monitoring, documenting and investigating any anomalies affecting employees, suppliers, and customers. Our IT security controls are designed to align with the NIST (National Institute of Standards and Technology) standards and are tested on an ongoing basis. These controls and procedures include processes that oversee and identify cybersecurity risks associated with third-party service providers that we engage, as described below. For instance, we conduct risk and compliance assessments of third-party service providers that request access to our information assets. To support our internal risk management structure, we use third-party specialists to monitor for emerging threats, conduct vulnerability scans and analysis including simulated hacker attacks, and audit our cybersecurity framework. We also maintain an information security risk insurance policy in the event of a security breach. Our internal audit function also performs independent testing on aspects of the operations of our cybersecurity program and the supporting controls based upon its risk-based internal audit plan and reports the results of these audits in its periodic reports to the Audit Committee. Leadership receives training on how to respond to ransomware events and participates in breach simulations at least once a year. Additionally, employees throughout the organization support LII’s risk management efforts by participating in mandatory cybersecurity training at least once a year, ongoing awareness campaigns, and quarterly simulated phishing attempts. To our knowledge, LII’s business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats within the last three years, including as a result of previously identified cybersecurity incidents. However, we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Item 1A, “Risk Factors.” Governance Our Chief Technology Officer is ultimately responsible for overseeing all cybersecurity management, including the three core teams mentioned above, and reports to the Board of Directors twice a year on our cybersecurity tactical responses and strategic roadmap. The entire Board of Directors reviews significant cybersecurity risks and works with the Audit Committee to address enterprise risk management processes and policies. At the management level, our Data Protection & Cybersecurity Steering Committee (“DPCSC”) meets on a quarterly basis. The DPCSC includes representatives from communications, ethics and compliance, human resources, information technology, corporate audit , legal, risk, privacy, and sourcing. This committee is responsible for overseeing LII’s data protection and cybersecurity policies and procedures. These cybersecurity policies and procedures include an IT security and privacy incident response plan to notify the appropriate parties, including our Chief Technology Officer, our Disclosure Committee, and our Board of Directors, in a timely manner. Our Chief Technology Officer has served in the role since 2008, and has more than 15 years of experience in developing and executing large enterprise data privacy and cyber security roadmaps at publicly-traded companies. He holds undergraduate and graduate degrees in engineering. Our Vice President, Information Technology, has served in the role since 2003, and has more than 35 years of cybersecurity experience. He holds an undergraduate degree in computer science. 15

Company Information