Sleep Number Corp - (SNBR)
10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
Sleep Number uses a “defense in depth” approach for its cybersecurity risk management program leveraging the National Institute of Standards and Technology (NIST) framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. The Company regularly assesses the threat landscape for cybersecurity risks, with a strategy based on prevention, detection and mitigation. The Company’s information technology (IT) security team--led by the VP of Information Security and Architecture and Chief Information Officer--reviews cybersecurity risks on an ongoing basis. IT security team members who support its information security program have relevant educational and industry experience. The VP of Information Security and Architecture, and their team, provide regular reports to senior management, the Audit Committee, and other relevant teams on various cybersecurity threats, assessments and findings. The IT Security team has established policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats, which are also identified and assessed through the Company’s overall risk management program, including quarterly assessments of IT systems, cybersecurity and related risks.
The Company maintains controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Audit Committee in a timely manner.
The Company assesses cybersecurity risks on an ongoing basis, including assessing and deploying technical safeguards designed to protect its information systems from cybersecurity threats. The Company has established comprehensive incident response and recovery plans, regularly tests and evaluates the effectiveness of those plans, and maintains cybersecurity risk insurance.
The Company implements processes to identify, prioritize, assess, mitigate and remediate risks associated with third-party service providers. It conducts security assessments of critical third-party providers before engagement and maintains ongoing monitoring to ensure compliance with the Company’s cybersecurity standards. The monitoring includes ongoing assessments by the IT security team. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties. The Company also contractually requires the key third parties it engages to implement security programs commensurate with their risk.
The Company regularly reminds its team members and contractors of the importance of handling and protecting customer and employee data. The Company provides all its team members with dedicated cybersecurity awareness training annually and, conducts monthly phishing simulation testing and other cybersecurity awareness campaigns (e.g., intranet articles, cybersecurity awareness month).
The Company engages with a range of external experts, including cybersecurity assessors, consultants, auditors, and legal counsel, in evaluating and testing its cybersecurity risk management systems. This enables the Company to leverage specialized knowledge, experience and insights, to help ensure its cybersecurity strategies and processes remain current.
•The Company has cybersecurity operations and engineering capabilities that provide comprehensive monitoring to detect and respond to cyber threats and alerts and execute cyber incident response playbooks. This includes a vulnerability management program which identifies and drives remediation of risks. The Company employs a wide array of industry-leading security platforms and tools.
•The Company has retained data security and data privacy legal counsel whose practices focus on data breach response, information security compliance, and compliance with the data privacy laws in the various jurisdictions in which the Company operates.
•In addition, the Company engages specialized consultants and third-party managed service providers on a project-specific basis to assist it with projects that will improve the Company’s IT infrastructure, strengthen its security posture and cyber incident investigations, and improve its cyber readiness.
31 | 2023 FORM 10-K | SLEEP NUMBER CORPORATION |
Management’s Role
The Chief Information Officer (CIO) has primary operational responsibility for the Company’s cybersecurity function. The CIO has served in various roles in information technology and information security for over 28 years with nine years’ experience specifically in cybersecurity. The CIO, together with the Vice President of Information Security and Architecture – who has 20 years of cybersecurity experience and has maintained a Certified Information Systems Security Professional (CISSP) certification since 2008 – and the Chief Legal and Risk Officer have primary responsibility for assessing and managing material cybersecurity risks. This group, and their supporting teams, meets quarterly to review security performance metrics, identify security risks, and assess the status of approved security enhancements. This group also considers and makes recommendations on security policies and procedures, security service requirements, and risk mitigation strategies.
Board Oversight
At the Board level, the Audit Committee is formally tasked with assisting the full Board in overseeing information security systems, including cybersecurity, and reporting to the Board with respect to significant and material developments or proposed changes to the Company’s cybersecurity framework. The Audit Committee receives regular reports from the CIO and the Vice President of Information Security and Architecture about the prevention, detection, mitigation, and remediation of cybersecurity incidents, including material security risks and information security threats and risks. The Audit Committee also receives regular updates from management on cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, and relevant internal and industry cybersecurity incidents and emerging threats.
The Company has not experienced any material security incidents or data breaches as a result of a compromise of its information systems and is not aware of any cybersecurity incidents that have had a material impact, or are reasonably likely to materially effect, on its business strategy, operating results, or financial condition.
32 | 2023 FORM 10-K | SLEEP NUMBER CORPORATION |