LL Flooring Holdings, Inc. - (LL)
10-K Filing Date: March 01, 2024
Cybersecurity Risk Management and Strategy
Due to the prevalence of cyberattacks and other cyber incidents directed at public companies, cybersecurity is a principal element of our overall enterprise risk management program. We have a multilayered approach for assessing, identifying and managing cybersecurity risks, which is designed to help protect the Company’s information assets and operations from internal and external cyber threats by understanding and seeking to manage risk while protecting employee and customer information from unauthorized access or attack, as well as secure our networks, systems and devices. Cybersecurity is one of the top enterprise risks that we have identified. As part of our quarterly enterprise risk management meetings, we discuss efforts to manage this risk and we assess the degree of risk and whether it is increasing or decreasing.
We devote significant resources to protecting and evolving the security of our computer systems, software, networks and other technology assets. Our cybersecurity risk management processes include physical, procedural and technical safeguards. Our cybersecurity policies, standards and procedures include cyber and data breach response plans, which are benchmarked against the National Institute of Standards and Technology Cybersecurity Framework. The Company’s incident response plan is designed to help coordinate our response to, and recovery from, cybersecurity incidents, and includes processes to triage, assess the severity of, escalate, contain, investigate, and remediate incidents, as well as to comply with applicable legal obligations. The Company seeks to
19
continually improve its policies and practices to identify potential and emerging security risks and develop mitigations for those risks. For example, the Company regularly conducts phishing tests, penetration tests and tabletop simulations to help discover potential vulnerabilities, which enable improved decision-making and prioritization and promote monitoring and reporting across compliance functions. As part of its overall risk mitigation strategy, the Company also maintains cyber insurance coverage.
We engage external parties, including consultants, computer security firms, forensic firms, public relations professionals and attorneys, to advise us on our preparedness and risk management activities. We also regularly consult with industry groups and law enforcement on emerging industry trends.
In order to oversee and identify risks from cybersecurity threats associated with the Company’s use of third-party service providers, we conduct a security risk assessment on all proposed new third party vendors who will have access to our information and data. We have standard contractual language that we require for vendors who will have access to sensitive data.
We do not believe that there are currently any risks from cybersecurity threats of which we are aware that are reasonably likely to materially affect the Company or its business strategy, results of operations or financial condition. We did experience a network security incident in 2019, which was disclosed previously, from which we have incorporated lessons learned and improved our risk management program. Despite our security measures, however, there is no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that will materially affect us. For additional information regarding the risks to the Company associated with cybersecurity incidents, see "If our management information systems, including our digital platform or our customer contact center, experience disruptions, it could disrupt our business and reduce our net sales" included in Part I, Item 1A (Risk Factors) of this Annual Report.
Cybersecurity Governance and Oversight
The Audit Committee of the Company’s Board of Directors provides direct oversight over cybersecurity risk. The Audit Committee receives and provides feedback on quarterly updates from management regarding cybersecurity and is notified between such updates regarding new cybersecurity threats or incidents. Information presented at the quarterly updates includes any emerging risks or key topics and includes training initiatives, the status of projects to strengthen cybersecurity, cyber readiness, incident tracking, mitigation efforts and response plans. The full Board of Directors receives regular reports from the Audit Committee, as well as an annual report from management highlighting key aspects of our cybersecurity risk management activities and the emerging threat landscape.
The Company has a Chief Information Security Officer (the “CISO”) whose team (the “IT Security Team”) is responsible for leading company-wide cybersecurity strategy, policy, standards and processes and works across all areas of the Company to protect the Company and its employees and customers against cybersecurity risks, perform investigations and respond to cybersecurity incidents. The CISO reports to the Chief Technology Officer ("CTO") who is also actively involved with assessing and managing cybersecurity risks. The CISO and the CTO are responsible for the quarterly updates to the Audit Committee regarding cybersecurity. The CISO has 28 years of experience in the IT field, with ten of those years in cybersecurity. The IT Security Team has a combined experience of 42 years and two members of the IT Security Team have obtained their Certified Ethical Hacker certifications. The CTO has over 34 years of experience in the IT field with a broad understanding of e-commerce and customer facing technologies.
In an effort to prevent and detect cyber threats, the Company provides all employees with cybersecurity prevention training, which covers timely and relevant topics, including social engineering, phishing, password protection, confidential data protection, asset use and mobile security, and educates employees on the importance of reporting all incidents immediately.
20