LEAR CORP 10-K Cybersecurity GRC - 2025-02-14

Page last updated on February 14, 2025

LEAR CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-14 16:02:39 EST.

Filings

10-K filed on 2025-02-14

LEAR CORP filed a 10-K at 2025-02-14 16:02:39 EST
Accession Number: 0000842162-25-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C - CYBERSECURITY Risk Management and Strategy We have implemented and maintain multiple layers of physical, administrative and technical security processes designed to protect our manufacturing facilities from disruptions that may result from cybersecurity incidents, as well as safeguard the confidentiality of our critical systems, and data residing on those systems, including employee data, customer data and intellectual property. Our risk assessment and management of material risks from cybersecurity threats is integrated into our overall enterprise risk management process, as well as our information systems processes. Our strategy includes regular formal risk assessments, dynamic risk and threat analysis, utilization of security tools, regular cybersecurity-related tabletop and phishing exercises designed to simulate cybersecurity incidents, and frequent security awareness and technical security trainings. We conduct periodic internal and third-party assessments to evaluate our cybersecurity posture and test and assess our incident response program, incident roles and responsibilities, material impact evaluation, and decision-making processes in the event of a cybersecurity incident. We use our risk and security assessments to enhance our information security capabilities. We also have an internal employee network of hundreds of security awareness ambassadors from diverse functions throughout our global locations who inform our personnel concerning threat awareness and cybersecurity risk mitigation. Depending on the environment, we implement and maintain various technical, physical and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our information systems and data, including an incident response policy and scenario-based playbooks, an incident detection program, a vulnerability management program, disaster recovery and business continuity plans, risk assessment processes, security standards, network security controls, access controls, systems monitoring, employee awareness training and cyber insurance. Our internal information security team oversees and works collaboratively with various information security service providers. Our cybersecurity program and practices are supported through the use of third-party service providers to assist in the identification, assessment and management of risks specific to cybersecurity threats, including vendors providing threat intelligence, risk mitigation, dark web monitoring, external scanning and scoring, threat and reputation monitoring, forensics, cyber insurance, advisory services and legal counsel. We use a managed security service provider to augment our internal information security team and to provide additional monitoring capabilities. We also have a vendor management program addressing cybersecurity risk associated with third-party application providers, hosting services and information technology support services we may retain. This program includes security questionnaires, review of vendor security programs, review of security assessments and assurance reports, vulnerability scans, and direct inquiries and collaboration with our vendors’ security personnel. Our vendor management process involves different levels of assessment depending on the services provided by the vendor, the sensitivity of the related information systems and data, and the identity of the provider. It is designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. We have an incident response plan that includes scenario-based playbooks for addressing cybersecurity incidents and associated crisis communication procedures designed to facilitate coordination across the Company and with our partners, customers, the public and others. For the year ended December 31, 2024, there have been no risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, financial condition or results of operations. For a description of risks related to our information technology systems, including cybersecurity threats, see Item 1A, “Risk Factors.” Governance Our Board of Directors (the “Board”) addresses our cybersecurity risk management as part of its general oversight function. The Audit Committee of the Board (the “Audit Committee”) is responsible for overseeing our cybersecurity risk management processes, including our assessment and mitigation of material risks from cybersecurity threats. The Audit Committee receives regular reports, summaries or presentations related to cybersecurity threats, risk, mitigation and related processes from the Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”) . In addition, on at least an annual basis, the Board receives reports, summaries or presentations related to cybersecurity threats, risk, mitigation and related processes. Our cybersecurity risk assessment and management processes are implemented and maintained by our CIO and CISO, who are supported by other members of management, as necessary. Our CIO and CISO are responsible for approving budgets, cybersecurity incident preparedness, approving cybersecurity processes, reviewing security assessments and other security-related reports, and providing the Chief Financial Officer (“CFO”) with regular updates on cybersecurity-related matters. Our CIO has served in this role for four years and has more than twenty-nine years of relevant experience, including previous roles as the CIO for two companies and the divisional information technology leader for two companies. Our CISO, who reports to the CIO, has served in this role for three years and has more than twenty-nine years of relevant experience, including a focus on information security and cybersecurity for the last sixteen years. He previously served as the CISO for another automotive supplier. In addition, our CISO is engaged with the cybersecurity community through current and past involvement with organizations such as Automotive Information Sharing and Analysis Center, Michigan Infragard, Domestic Security Alliance Council and the European Association of Automotive Suppliers cybersecurity workgroup. In addition, we have an information security team comprised of dozens of experienced employees who address cybersecurity matters. The CIO and CISO are also responsible for hiring appropriate personnel, assisting with the integration of cybersecurity risk considerations into our overall risk management strategy, communicating key priorities to relevant personnel, and mitigating and remediating cybersecurity incidents. Our cybersecurity incident response program is designed to escalate certain cybersecurity incidents to various levels of management depending on the circumstances, including our CIO, CISO, General Counsel, Division Presidents, CFO and/or Chief Executive Officer (collectively, “Senior Management”) and, in the instance of product cybersecurity incidents, our E-Systems Safety Committee. Senior Management works with our incident response team to help mitigate and remediate certain escalated cybersecurity incidents. In addition, our incident response program includes reporting certain cybersecurity incidents to the Audit Committee and, in certain circumstances, to the Board.

Company Information