LEGGETT & PLATT INC - (LEG)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity.
We rely on information systems to obtain, process, analyze, and manage data, as well as to facilitate the manufacture and distribution of inventory to and from our facilities. We receive, process, and ship orders, manage the billing of and collections from our customers, and manage the accounting for and payment to our vendors. We also manage our production processes with certain industrial control systems. Consequently, we are subject to cybersecurity risk.
From time to time, we have experienced immaterial cybersecurity threats and incidents. When these threats and incidents have occurred, we have taken appropriate remediation steps and, through investigation, determined that the threats or incidents did not have a material effect on our business, results of operations, or financial results.
Cybersecurity Risk Management and Strategy
We have a process in place for assessing, identifying, and managing material risks from cybersecurity threats and incidents, which is based on industry-recognized frameworks and takes a multifaceted approach to protecting our network, systems, and data, including personal information. To prevent cybersecurity incidents, we deploy a wide range of protective security technologies and tools, including, but not limited to, encryption, firewalls, endpoint detection and response, security information and event management, multi-factor authentication, and threat intelligence feeds. To maintain the effectiveness of this framework, we conduct periodic real-world simulation exercises to test, educate, promote awareness, and identify any refinements needed.
Cybersecurity threats are identified, assessed, and monitored by our security operations center, which is staffed with cybersecurity professionals who report to the Company's Chief Information Security Officer (CISO), and includes resources provided by external vendors. When a cybersecurity threat or incident meets certain categorized thresholds as determined by our Cybersecurity Incident Response Plan, we follow an escalation review process which can result in our CISO forwarding the threat or incident to our cybersecurity crisis response team consisting of our Chief Executive Officer (CEO), Chief Financial Officer, Chief Human Resources Officer, Chief Information Officer, and General Counsel (the "Crisis Response Team"). Our CISO and the Crisis Response Team, pursuant to guidance from our CISO, assess and manage our response to cybersecurity threats and incidents. Our CISO follows a risk-based escalation process to notify our General Counsel of certain cybersecurity threats and incidents, and our General Counsel analyzes our obligation to report any incident publicly. If the General Counsel determines disclosure is warranted, she reports this conclusion to the CISO, the Crisis Response Team, and the Company's Public Disclosure Committee for consideration and disclosure.
We have integrated cybersecurity risk into our overall enterprise risk management (ERM) process. Pursuant to the ERM process, cybersecurity risk is evaluated for likelihood, significance, and velocity on a semiannual basis by designated risk owners. The risk owners consist of a cross-functional group of leaders, led by our CISO. Based on the ERM analysis, we adjust, if necessary, our process for the identification, assessment, and monitoring of cybersecurity threats and incidents.
28

PART I
We engage third parties in connection with our cybersecurity identification, assessment, and response processes, including to periodically benchmark our cybersecurity program against the National Institute of Standards and Technology’s Cybersecurity Framework. We also maintain active retainers with certain third parties that can be engaged in the event of a cybersecurity threat or incident. We have established a process to oversee and identify risks and cybersecurity threats associated with our third-party service providers, which includes the use of monitoring technology. We also survey certain third-party providers regarding their security controls.
Although we have not experienced any material cybersecurity incidents, because of past immaterial cybersecurity threats and incidents, and what we have learned in responding to those threats, we have accelerated multiple cybersecurity program enhancement efforts, including expansion of resources, increased visibility, and stronger protective controls. In 2024, we expect to spend roughly $9 million in maintaining and enhancing our cybersecurity protection efforts. As of the date of this report, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected us, including our business strategy, results of operations, or financial condition. However, for a discussion of risks from cybersecurity threats that could materially affect our business strategy, results of operations, or financial condition, see Item 1A. Risk Factors - "Information technology failures, cybersecurity incidents, or new technology disruptions could have a material adverse effect on our operations" on page 24, which is incorporated by reference into this Item 1C.
Cybersecurity Governance
Our Board has oversight of all cybersecurity threats and incidents. On a quarterly basis, and more often if warranted, the CISO, or the CEO in coordination with the CISO, reports to the full Board any potentially material cybersecurity threat or incident and our activities regarding the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents.
Our CISO and the Crisis Response Team, pursuant to guidance from our CISO, assess, identify, and manage material risks from cybersecurity threats and incidents, as described above under "Cybersecurity Risk Management and Strategy." The CISO has served in this role since 2022, and has over 20 years of professional experience in identifying, evaluating, and responding to cybersecurity threats and incidents. The CISO holds a bachelor’s degree in electrical engineering from Arizona State University and is a Certified CISO under the Carnegie Mellon University CISO Certification Program, a Certified Information Systems Auditor (CISA), and a Certified Information Systems Security Professional (CISSP). Members of the Crisis Response Team have extensive work experience in systems and programming, auditing, compliance and privacy laws, financial controls and procedures, and operations management. With the assistance of the CISO, along with our internal cybersecurity and information technology professionals and our third-party cybersecurity consultants and advisors, the Crisis Response Team is charged with the responsibility of preventing, detecting, mitigating, and remediating cybersecurity threats and incidents.
Although we have purchased broad form cyber insurance coverage and believe that our cybersecurity protection systems are adequate, cybersecurity risk has increased due to remote access, remote work conditions, and increased sophistication of cybersecurity adversaries, as well as the increased frequency of malware attacks. As such, information technology failures or cybersecurity breaches could still create system disruptions or unauthorized disclosure or alterations of confidential information and disruptions to the systems of our third-party suppliers and providers. We cannot be certain that the attacker’s capabilities will not compromise our technology protecting information systems, including those resulting from ransomware attached to our industrial control systems. If these systems are interrupted or damaged by any incident or fail for any extended period of time, then our results of operations could be adversely affected. We may incur remediation costs, increased cybersecurity protection costs, ransom payments, lost revenues resulting from unauthorized use of proprietary information, litigation and legal costs, increased insurance premiums, reputational damage, damage to our competitiveness, and negative impact on our stock price and long-term shareholder value.
For more information regarding cybersecurity risks, refer to Information Technology and Cybersecurity Risk Factors on page 24.
29

PART I