HNI CORP - (HNI)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity

Risk Management and Strategy. Cybersecurity risk management is an integral part of the Corporation’s enterprise risk management program. The cybersecurity risk management program is designed to align with industry best practices, is generally based on the framework established by the National Institute of Standards and Technology (NIST), provides a framework for handling cybersecurity threats and incidents, including threats and incidents associated with the use of applications and services provided by third parties, and facilitates coordination across different departments of the Corporation. This framework includes steps for assessing the severity of a cybersecurity threat, identifying the source of a threat, including whether the threat is associated with a third-party service provider, implementing countermeasures and mitigation strategies, and informing management and the Board of Directors of material cybersecurity threats, incidents, and impact.

The cybersecurity team under the direction of the Corporation’s Chief Information and Digital Officer ("CIDO"), is responsible for assessing, deploying, and managing the cybersecurity risk management program. Recognizing the complexity and evolving nature of cybersecurity threats, the cybersecurity team engages with a range of external experts, including cybersecurity assessors and consultants in evaluating and testing the Corporation’s risk management systems. The collaboration with these independent third-parties includes regular threat assessments, such as penetration tests and table-top exercises, and consultation on security enhancements. In addition, the cybersecurity team provides training to applicable members annually and ongoing cybersecurity education. Additionally, the Corporation maintains cyber risk insurance.

Depending on the products and services provided and the potential for data exchange and technology risk, suppliers and other third-party service providers are evaluated by the cybersecurity organization to assess their security and data protection capabilities. Additionally, security and data-focused contract provisions are incorporated where necessary in supplier and other service provider agreements to include industry-standard security and resiliency requirements that include timely reporting of cybersecurity incidents. The Corporation periodically reviews independent assessments of major service providers.

Governance. The Board of Directors has overall oversight responsibility for risk management. Oversight of cybersecurity risks has been delegated to the Audit Committee of the Board of Directors. The Audit Committee also reports material cybersecurity risk to the full Board of Directors.

The Audit Committee is responsible for ensuring management has processes in place designed to identify and evaluate cybersecurity risks to which the Corporation is exposed and implement programs to manage cybersecurity risks and mitigate cybersecurity incidents.

Management under the CIDO is responsible for identifying, considering, and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential risk exposures are monitored, implementing appropriate mitigation measures and maintaining cybersecurity programs. The CIDO and cybersecurity team members are certified and/or experienced information systems security professionals and information security managers with many years of experience.

The CIDO receives reports from the cybersecurity team and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents. Appropriate procedures for communication to the Audit Committee are also built into the incident response plan.

The CIDO regularly updates the Audit Committee and the full Board of Directors on the Corporation’s cybersecurity risk management program, material cybersecurity risks, and mitigation strategies. Management provides the Audit Committee with quarterly cybersecurity reports that cover, among other topics, third-party assessments of the Corporation’s cybersecurity risk management program, developments in cybersecurity, and updates to the Company’s cybersecurity risk management program and mitigation strategies.

Cybersecurity Threats. The Corporation has not identified cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to affect the Corporation. There can be no assurance that this will continue to be the case. Notwithstanding the Corporation’s investment in cybersecurity, it may not be successful in
20

preventing or mitigating a cybersecurity incident that could have a material adverse effect on its business, results of operations or financial condition. For a discussion of cybersecurity risks affecting the Corporation’s business, see "Item 1A. Risk Factors - STRATEGIC AND OPERATIONAL RISKS - The Corporation relies on information technology systems to manage numerous aspects of the business and a disruption or failure of these systems could adversely affect business, operating results, and financial condition." which is incorporated by reference into this Item 1C.