LIFETIME BRANDS, INC - (LCUT)
10-K Filing Date: March 12, 2024
Item 1C. Cybersecurity
Risk management and strategy
The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard its information systems and to protect the confidentiality, integrity, and availability of its data.
The Company has integrated cybersecurity risk management into its broader enterprise risk management (“ERM”) through defined training and incident response plans. The incident response plan defines the objectives, roles and responsibilities and scope of our incident response program, is designed to detect actual or potential cybersecurity events and is triggered by Endpoint Detection and Response (“EDR”) system behavior monitoring. Once initiated, the incident response plan consists of several phases, which includes i) detecting a significant observable event, ii) examining a security related event with potential negative IT consequences for the company and iii) analyzing the risk of the event and the degree of remediation required. The Company has developed an incident management plan that operates within the incident response plan to help define the objectives, roles, responsibilities, and scope of our incident response plan.
In addition, the Company’s training and response methodology includes regular end user cybersecurity updates, phishing tests and online trainings. We believe that these measures helps promote a company-wide culture of appropriate cybersecurity risk management, as well as ensure that cybersecurity considerations are an integral part of the Company’s ERM decision-making processes at every level. The Company considers industry best practices to continuously evaluate and address cybersecurity risks in alignment with its business objectives and operational needs.
The full Board of Directors is responsible for the oversight of the Company’s cybersecurity risk management. The Board is updated by the EVP, Global Supply Chain & Import regularly to remain informed on the Company’s efforts in managing risks associated with cybersecurity threats.
The Company’s Infrastructure Director is responsible for managing cybersecurity risks, including the prevention, detection, mitigation, and remediation of cybersecurity incidents. The Infrastructure Director has 20 years of experience in the creation and management of enterprise security risk programs.The Infrastructure Director reports to the Chief Information Officer, who actively engages to monitor IT activities and has 40 years of Enterprise Security Management Experience as well as membership in a CIO peer group that reviews local cybersecurity concerns on a regular basis. The Chief Information Officer in turn reports to the EVP, Global Supply Chain & Import who is responsible for the Company’s management of cybersecurity risk. Through these activities and monitoring, both internally and externally, any events or incidents identified will be escalated to the appropriate Business Team Member in accordance with the Company’s Incident Management Plan.
The Company engages with third-party experts, including cybersecurity focused Security Operations Center (SOC) and leading-edge (EDR) providers, to assist in evaluating and detecting security risk and initiate corrective actions. These partnerships enable the Company to leverage specialized knowledge and insights, ensuring cybersecurity strategies and processes remain aligned with industry best practices. The collaboration with these third parties includes regular audits, threat assessments, and consultation on security enhancements.
The Company uses third-party service providers in various functions throughout its business. The Company has stringent processes to oversee and manage risk with these third parties. The Company’s process includes risk assessment activities, such as security assessments of all third-party providers, policies such as “minimum required access” to ensure compliance with current cybersecurity standards and monitoring activities, such as the review of potential cyber breaches announcements made by the third-party service providers.
Notwithstanding the approach we take to cybersecurity risk management, we may be unsuccessful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While the Company maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.
24