MATTEL INC /DE/ - (MAT)

10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
Mattel has processes in place for assessing, identifying, and managing material risks from cybersecurity threats, which include developing, implementing, and maintaining cybersecurity measures and controls. Mattel considers the following factors, among others, to assess whether adequate protections are in place to address risks from known and anticipated cybersecurity threats: likelihood and severity of risk; impact on Mattel and others, including retail customers, suppliers, consumers, or employees, if a risk materializes; feasibility and cost of controls; and impact of controls on operations.
As part of its cybersecurity risk management program, Mattel utilizes cybersecurity assessors, consultants, auditors, and other third-parties to assist its internal team with network security, cloud security, endpoint security, data loss prevention, and security information and event management. In addition, Mattel utilizes a variety of third-party technology, information systems, and service providers to help identify, isolate, and mitigate security incidents.
Mattel seeks to identify vulnerabilities and mitigate risks from cybersecurity threats posed by its use of third-party technology, information systems, and service providers through oversight by Mattel's information technology ("IT") organization through a variety of processes, including conducting onboarding due diligence, imposing contractual obligations related to privacy and information security, and regularly monitoring the performance of third parties providing critical support systems.
To support incident response preparedness, Mattel has developed a cybersecurity incident response plan and conducts an annual simulated incident exercise. The cybersecurity incident response plan addresses cybersecurity incidents that directly impact Mattel or arise from Mattel's use of third-party technology, information systems, and service providers. Mattel also utilizes business continuity and disaster recovery plans to prepare for potential disruptions in technology that Mattel relies upon. Further, Mattel monitors novel and advanced cybersecurity threats and provides ongoing employee security awareness training.
As part of Mattel's overall risk management program, Mattel's IT organization has a governance, risk, and compliance group that provides oversight regarding IT-related risks, including cybersecurity risks, and monitors Mattel's IT control environment. This group also works with Mattel's Internal Audit team to assess Mattel's cybersecurity processes. In addition, Mattel's IT organization has a steering committee comprised of internal privacy and cybersecurity experts, chaired by Mattel's Chief Information Security Officer ("CISO"), which is responsible for the development and maintenance of Mattel's privacy and information security programs and regularly reports to Mattel's Chief Technology Officer ("CTO").
Mattel is subject to cybersecurity threats that could have a material adverse impact on its results of operations, financial condition, and liquidity, as further discussed in Item 1A "Risk Factors" under the headings of Legal and Regulatory. Mattel is not aware of having experienced any cybersecurity threats or incidents to date that have materially affected or are reasonably likely to materially affect Mattel, its business strategy, results of operation or financial condition. However, there can be no assurance that Mattel will be able to mitigate negative impacts in the same way in the event of future attacks or other cyber incidents.
25


Governance
Mattel's CISO has more than twenty years of cybersecurity industry experience at Mattel and elsewhere and is responsible for coordinating cybersecurity efforts within Mattel, with a focus on cybersecurity threat prevention, detection, and mitigation, as well as enhancement of privacy and security measures, including security updates, security architecture and engineering, and identity access management. Mattel's CISO reports to the CTO, regularly communicating risks and other relevant information related to cybersecurity threats and incidents. Mattel's CTO has significant leadership, cybersecurity, and technology experience, is responsible for overseeing the monitoring and mitigation of cybersecurity threats, and advises and consults Mattel's senior management regarding material cybersecurity risks.
A team led by the CISO implements and maintains systems designed to detect and prevent cybersecurity threats, monitors important developments that may present risk to Company and third-party systems, and oversees the results of internal and third-party security reviews. The CISO provides regular updates to Mattel's CTO regarding critical and major severity security incidents involving Company systems, security incidents involving third parties that have the potential to impact Mattel's operations or involve sensitive customer, supplier, consumer, or employee data, and mitigation and remediation implemented to address such threats or incidents.
The Audit Committee of the Board of Directors (the "Audit Committee") oversees the Company's assessment and management of material cybersecurity risks. The CTO reports to the Audit Committee on Mattel's cybersecurity, including material cybersecurity risks and mitigation, at least annually. The CTO reports and escalates cybersecurity incidents to management and the Audit Committee as appropriate.