HAVERTY FURNITURE COMPANIES INC 10-K Cybersecurity GRC - 2025-03-06

Page last updated on March 6, 2025

HAVERTY FURNITURE COMPANIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-06 15:07:41 EST.

Filings

10-K filed on 2025-03-06

HAVERTY FURNITURE COMPANIES INC filed a 10-K at 2025-03-06 15:07:41 EST
Accession Number: 0001628280-25-010869

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Risk management and strategy We have processes in place to identify, assess and monitor material risks from cybersecurity threats. These processes are part of our overall enterprise risk management process and are part of our operating procedures, internal controls, and information systems. These risks include, among other things, operational risks; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. We have developed and implemented a cybersecurity framework intended to assess, identify and manage risks from threats to the security of our information, systems, and network using a risk-based approach. The framework is informed in part by the National Institute of Standards and Technology (NIST) Cybersecurity Framework, although this does not imply that we meet all technical standards, specifications, or requirements under the NIST. Our key cybersecurity processes include the following: - Risk-based controls for information systems and information on our networks: We seek to maintain an information technology infrastructure that implements physical, administrative and technical controls that are calibrated based on risk and designed to protect the confidentiality, integrity and availability of our information systems and information stored on our networks, including customer and employee information. - Cybersecurity incident response plan and testing: We have a cybersecurity incident response plan and dedicated teams to respond to cybersecurity incidents. When a cybersecurity incident occurs or we identify a vulnerability, we have cross-functional teams that are responsible for leading the initial assessment of priority and severity, and external experts may also be engaged as appropriate. Our cybersecurity teams assist in responding to incidents depending on severity levels and seek to improve our cybersecurity incident management plan through periodic tabletops or simulations. - Training: We provide security awareness training to help our employees understand their information protection and cybersecurity responsibilities. We also provide additional training to some employees based their roles. - Supplier risk assessments: Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply-chain or who have access to our customer and employee data on our systems. Third-party risks are included within our risk management assessment program, as well as our cybersecurity-specific risk identification program. These considerations affect the selection and access to our systems, data, or facilities. We also seek contractual commitments from key suppliers to appropriately secure and maintain their information technology systems and protect our information that is processed on their systems. - Third-party assessments: We have third-party cybersecurity companies engaged to periodically assess our cybersecurity posture, to assist in identifying and remediating risks from cybersecurity threats. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such risks. As part of the above processes, we regularly engage with consultants, auditors, and other third-parties, including reviewing our cybersecurity program to help identify areas for continued focus, improvement and/or compliance. To date, risks from cybersecurity threats or incidents have not materially affected the Company. However, the sophistication of and risks from cybersecurity threats and incidents continues to increase, and the preventative actions we have taken and continue to take to reduce these risks and protect our systems and information may not successfully protect against all cybersecurity threats and incidents. For more information on how cybersecurity risk could materially affect our business strategy, results of operations, or financial condition, please refer to Item 1A Risk Factors. Cybersecurity Governance The board of directors, as a whole, has oversight responsibility for our strategic and operational risks. The audit committee regularly reviews and discusses with management the strategies, processes, and controls pertaining to the management of our information technology operations, including cyber risks and cybersecurity. Our Senior Vice President (SVP) of Information Technology and other internal members of our technology team provide regular reports to the audit committee regarding the evolving cybersecurity landscape, including emerging risks, as well as our processes, programs, and initiatives for managing these risks. The audit committee, in turn, periodically reports on its review with the board of directors. Management is responsible for day-to-day assessment and management of cybersecurity risks. Our cybersecurity risk management and strategy processes are led by our SVP of Information Technology and Assistant Vice President (AVP) of IT Infrastructure and Security . Such individuals have collectiv ely over 50 ye ars of work experience in various roles managing information security, developing cybersecurity strategy, and implementing effective information and cybersecurity programs. The SVP of Information Technology also presents at least annually to the Board an overview of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results of third-party assessments, our incident response plan, and cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks.

Company Information