HAVERTY FURNITURE COMPANIES INC - (HVT)
10-K Filing Date: March 07, 2024
ITEM 1C. Cybersecurity
Risk management and strategy
We have processes in place to identify, assess and monitor material risks from cybersecurity threats. These processes are part of our overall enterprise risk management process and are part of our operating procedures, internal controls, and information systems. These risks include, among other things, operational risks; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. We have developed and implemented a cybersecurity framework intended to assess, identify and manage risks from threats to the security of our information, systems, and network using a risk-based approach. The framework is informed in part by the National Institute of Standards and Technology (NIST) Cybersecurity Framework, although this does not imply that we meet all technical standards, specifications or requirements under the NIST.
Our key cybersecurity processes include the following:
•Risk-based controls for information systems and information on our networks: We seek to maintain an information technology infrastructure that implements physical, administrative and technical controls that are calibrated based on risk and designed to protect the confidentiality, integrity and availability of our information systems and information stored on our networks, including customer and employee information.
•Cybersecurity incident response plan and testing: We have a cybersecurity incident response plan and dedicated teams to respond to cybersecurity incidents. When a cybersecurity incident occurs or we identify a vulnerability, we have cross-functional teams that are responsible for leading the initial assessment of priority and severity, and external experts may also be engaged as appropriate. Our cybersecurity teams assist in responding to incidents depending on severity levels and seek to improve our cybersecurity incident management plan through periodic tabletops or simulations.
•Training: We provide security awareness training to help our employees understand their information protection and cybersecurity responsibilities. We also provide additional training to some employees based their roles.
•Supplier risk assessments: Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply-chain or who have access to our customer and employee data on our systems. Third-party risks are included within our risk management assessment program, as well as our cybersecurity-specific risk identification program. These considerations affect the selection and access to our systems, data, or facilities. We also seek contractual commitments from key suppliers to appropriately secure and maintain their information technology systems and protect our information that is processed on their systems.
•Third-party assessments: We have third-party cybersecurity companies engaged to periodically assess our cybersecurity posture, to assist in identifying and remediating risks from cybersecurity threats. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such risks.
As part of the above processes, we regularly engage with consultants, auditors, and other third-parties, including reviewing our cybersecurity program to help identify areas for continued focus, improvement and/or compliance.
To date, risks from cybersecurity threats or incidents have not materially affected the Company. However, the sophistication of and risks from cybersecurity threats and incidents continues to increase, and the preventative actions we have taken and continue to take to reduce these risks and protect our systems and information may not successfully protect against all cybersecurity threats and incidents. For more information on how cybersecurity risk could materially affect our business strategy, results of operations, or financial condition, please refer to Item 1A Risk Factors.
12
Cybersecurity Governance
The board of directors, as a whole, has oversight responsibility for our strategic and operational risks. The audit committee regularly reviews and discusses with management the strategies, processes and controls pertaining to the management of our information technology operations, including cyber risks and cybersecurity. Our Chief Information Officer (CIO) and other internal members of our technology team provide regular reports to the audit committee regarding the evolving cybersecurity landscape, including emerging risk, as well as our processes, program and initiatives for managing these risks. The audit committee, in turn, periodically reports on its review with the board of directors.
Management is responsible for day-to-day assessment and management of cybersecurity risks. Our cybersecurity risk management and strategy processes are led by our CIO, VP Information Technology, and Manager of Security. Such individuals have collectively over 50 years of work experience in various roles managing information security, developing cybersecurity strategy, and implementing effective information and cybersecurity programs.
The CIO also presents at least annually to the Board an overview of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results of third-party assessments, our incident response plan, and cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks.