MOHAWK INDUSTRIES INC - (MHK)
10-K Filing Date: February 23, 2024
Item 1C.Cybersecurity
Risk Management and Strategy
The Company maintains robust and comprehensive processes, procedures and controls to protect and secure its information systems and data infrastructure from cybersecurity threats. The Company’s cybersecurity program is led by its Senior Director of Cybersecurity, who functions as the chief information security officer (CISO). The Company’s cybersecurity program interfaces with other functional areas within the Company, including but not limited to the Company’s business segments and information technology (“IT”), legal, risk management, human resources and internal audit departments, as well as external third-party partners, to identify and understand potential cybersecurity threats. The Company regularly assesses and updates its processes, procedures and management techniques in light of ongoing cybersecurity developments.
20
Internally, the CISO coordinates oversight of reviewing security alerts, identifying and monitoring ongoing and potential cybersecurity threats, evaluating strategic business impacts of cybersecurity threats and developing programs and initiatives to educate the Company’s employees regarding cybersecurity. The CISO also manages the Company’s Computer Security Incident Response Plan (the “Incident Response Plan”), which outlines action steps for the preparation, identification, triage, analysis, containment, eradication, recovery and reflection stages of a cybersecurity incident. The Incident Response Plan serves as the charter for the Company’s Computer Security Incident Response Team (the “Incident Response Team”), which includes a strategic team comprised of executives from various cross-functional management teams, as well as a tactical team comprised of internal technical support roles and external third-party service providers. The Incident Response Plan provides how the Incident Response Team will analyze and, as necessary, escalate cybersecurity incidents both internally and with third-party service providers based on type and severity of the specific incident.
The Company also requires cybersecurity training for relevant employees, focusing on the appropriate protection and security of confidential company and third-party information. Additionally, the Company provides annual cybersecurity awareness training that covers a broad range of security topics, including secure access practice, phishing schemes, remote work and response to suspicious activities. In addition to online training, employees are educated through a number of methods, including event-triggered awareness campaigns, recognition programs, security presentations, company intranet articles, videos, system-generated communications, email publications and various simulation exercises.
The Company has engaged a third-party managed detection and response company to monitor the security of its information systems around-the-clock, including intrusion detection, and to provide instantaneous alerting should a cybersecurity event occur. The Company also has engaged a third-party digital forensics and incident response consultant on retainer.
The Company does not believe that any risks from cybersecurity threats, nor any previous cybersecurity incidents, have materially affected the Company. However, the sophistication of cyber threats continues to increase, and the preventative actions the Company has taken and continues to take to reduce the risk of cyber incidents and protect its systems and information may not successfully protect against all cyber incidents. For more information on how cybersecurity risk may materially affect the Company’s business strategy, results of operations, or financial condition, please refer to Item 1A Risk Factors.
Governance
The Company’s Audit Committee and Board of Directors provide ultimate oversight of the Company’s cybersecurity risk management. The Audit Committee regularly reviews and discusses with management the strategies, processes, procedures and controls pertaining to the management of the Company’s information technology operations, including cyber risks and cybersecurity. The Company’s Chief Information Officer (“CIO”) provides quarterly reports to the Board of Directors regarding the evolving cybersecurity risk landscape, including emerging risks, as well as the Company’s processes, program and initiatives for managing these risks.
The Company’s CISO reports directly to the CIO, who in turn reports to the CEO. The CISO maintains the certified information systems security professional (CISSP) certification and has over 22 years of experience in cybersecurity. Under the direction of the CISO, the Company’s information technology department continuously analyzes cybersecurity and resiliency risks to our business, considers industry trends and implements controls, as appropriate, to mitigate these risks. This analysis drives the Company’s long- and short-term cybersecurity strategies, which are executed through a collaborative effort within the IT department and are communicated to the Board of Directors regularly.
21