MOHAWK INDUSTRIES INC 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 20, 2025

MOHAWK INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 20:48:17 EST.

Filings

10-K filed on 2025-02-19

MOHAWK INDUSTRIES INC filed a 10-K at 2025-02-19 20:48:17 EST
Accession Number: 0000851968-25-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company maintains robust and comprehensive policies, processes, procedures and controls to protect and secure its information systems and data infrastructure from cybersecurity threats. The Company’s cybersecurity program is led by its Senior Director of Cybersecurity, who functions as the chief information security officer (“CISO”). The Company’s cybersecurity program interfaces with other functional areas within the Company, including but not limited to the Company’s business segments and information technology (“IT”), legal, risk management, human resources and internal audit departments, as well as external third-party partners, to identify and understand potential cybersecurity threats. The Company regularly assesses and updates its policies, processes, procedures and controls in light of ongoing cybersecurity developments. Internally, the CISO coordinates oversight of reviewing security alerts, identifying and monitoring ongoing and potential cybersecurity threats, evaluating strategic business impacts of cybersecurity threats and developing programs and initiatives to educate the Company’s employees regarding cybersecurity. The CISO also manages the Company’s Computer Security Incident Response Plan (the “Incident Response Plan”), which outlines action steps for the preparation, identification, triage, analysis, containment, eradication, recovery and reflection stages of a cybersecurity incident. The Incident Response Plan serves as the charter for the Company’s Computer Security Incident Response Team (the “Incident Response Team”), which includes a strategic team comprised of executives from various cross-functional management teams, as well as a tactical team comprised of internal technical support roles and external third-party service providers. The Incident Response Plan provides how the Incident Response Team will analyze and, as necessary, escalate cybersecurity incidents both internally and with third-party service providers based on type and severity of the specific incident. The CISO also oversees the Company’s management of third-party service providers. The Company has engaged a third-party managed detection and response company to monitor the security of its information systems, including intrusion detection, and to provide timely alerts if a cybersecurity event occurs. The Company also has engaged a third-party digital forensics and incident response consultant on retainer. The Company also requires cybersecurity training for certain employees, focusing on the appropriate protection and security of confidential company and third-party information. Additionally, the Company provides annual cybersecurity awareness training that covers a broad range of security topics, which may include secure access practice, phishing schemes, remote work and response to suspicious activities. In addition to online training, employees are educated through a number of methods, including event-triggered awareness campaigns, recognition programs, security presentations, company intranet articles, videos, system-generated communications, email publications and various simulation exercises. The Company does not believe that any risks from cybersecurity threats, nor any previous cybersecurity incidents, have materially affected the Company. However, the sophistication of cyber threats continues to increase, and the preventative actions the Company has taken and continues to take to reduce the risk of cyber incidents and protect its systems and information may not successfully protect against all cyber incidents. For more information on how cybersecurity risk may materially affect the Company’s business strategy, results of operations, or financial condition, please refer to Item 1A Risk Factors. Governance The Company’s Audit Committee and Board of Directors provide ultimate oversight of the Company’s cybersecurity risk management. The Audit Committee regularly reviews and discusses with management the policies, processes, procedures and controls pertaining to the management of the Company’s information technology operations, including cyber risks and Index to Financial Statements cybersecurity. The Company’s Chief Information Officer (“CIO”) provides quarterly reports to the Board of Directors regarding the evolving cybersecurity risk landscape, including emerging risks, as well as the Company’s policies, processes, procedures and controls for managing these risks. The Company’s acting CISO reports directly to the CIO, who in turn reports to the Chief Executive Officer. The CISO maintains the certified information systems security professional certification and has more than 23 years of experience in cybersecurity. Under the direction of the CISO, the Company’s information technology department continuously analyzes cybersecurity risks to its business, considers industry trends and implements controls, as appropriate, to mitigate these risks. This analysis drives the Company’s long- and short-term cybersecurity strategies, which are executed through a collaborative effort within the IT department and are communicated to the Board of Directors regularly. Index to Financial Statements

Company Information