LIFETIME BRANDS, INC 10-K Cybersecurity GRC - 2025-03-13

Page last updated on March 14, 2025

LIFETIME BRANDS, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-13 16:57:53 EDT.

Filings

10-K filed on 2025-03-13

LIFETIME BRANDS, INC filed a 10-K at 2025-03-13 16:57:53 EDT
Accession Number: 0001628280-25-012650

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard its information systems and to protect the confidentiality, integrity, and availability of its data. The Company has integrated cybersecurity risk management into its broader enterprise risk management (“ERM”) through defined training and incident response plans. The incident response plan defines the objectives, roles and responsibilities and scope of our incident response program, is designed to detect actual or potential cybersecurity events and is triggered by Endpoint Detection and Response (“EDR”) system behavior monitoring. Once initiated, the incident response plan consists of several phases, which includes i) detecting a significant observable event, ii) examining a security related event with potential negative IT consequences for the company and iii) analyzing the risk of the event and the degree of remediation required. The Company has developed an incident management plan that operates within the incident response plan to help define the objectives, roles, responsibilities, and scope of our incident response plan. In addition, the Company’s training and response methodology includes regular end user cybersecurity updates, phishing tests and online trainings. We believe that these measures helps promote a company-wide culture of appropriate cybersecurity risk management, as well as ensure that cybersecurity considerations are an integral part of the Company’s ERM decision-making processes at every level. The Company considers industry best practices to continuously evaluate and address cybersecurity risks in alignment with its business objectives and operational needs. The full Board of Directors is responsible for the oversight of the Company’s cybersecurity risk management. The Board is updated by the EVP, Global Supply Chain & Import regularly to remain informed on the Company’s efforts in managing risks associated with cybersecurity threats. The Company’s Infrastructure Director is responsible for managing cybersecurity risks, including the prevention, detection, mitigation, and remediation of cybersecurity incidents. The Infrastructure Director has 20 years of experience in the creation and management of enterprise security risk programs. The Infrastructure Director reports to the EVP, Global Supply Chain & Import, who oversees the Company’s management of cybersecurity risk. Through these activities and monitoring, both internally and externally, any events or incidents identified will be escalated to the appropriate Business Team Member in accordance with the Company’s Incident Management Plan. The Company engages with third-party experts, including cybersecurity focused Security Operations Center (SOC) and leading-edge EDR providers, to assist in evaluating and detecting security risk and initiate corrective actions. These partnerships enable the Company to leverage specialized knowledge and insights, ensuring cybersecurity strategies and processes remain aligned with industry best practices. The collaboration with these third parties includes regular audits, threat assessments, and consultation on security enhancements. The Company uses third-party service providers in various functions throughout its business. The Company has stringent processes to oversee and manage risk with these third parties. The Company’s process includes risk assessment activities, such as security assessments of all third-party providers, policies such as “minimum required access” to ensure compliance with current cybersecurity standards and monitoring activities, such as the review of potential cyber breaches announcements made by the third-party service providers. Notwithstanding the approach we take to cybersecurity risk management, we may be unsuccessful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While the Company maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.

Company Information