LCI INDUSTRIES - (LCII)

10-K Filing Date: February 23, 2024
Item 1C. CYBERSECURITY.
Cybersecurity Risk Management and Strategy

We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information.

We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF"). This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.

Our cybersecurity risk management program is aligned to the Company’s business strategy. It shares common methodologies, reporting channels and governance processes that apply to other areas of enterprise risk, including legal, compliance, strategic, operational, and financial risk. Key elements of our cybersecurity risk management program include:

risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology environment;
a security team principally responsible for managing our cybersecurity risk assessment processes, our security controls, and our response to cybersecurity incidents;
the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
training and awareness programs for team members that include periodic and ongoing assessments to drive adoption and awareness of cybersecurity processes and controls;
a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and
a third-party risk management process for service providers, suppliers, and vendors, which is part of our global information security policy.

In the last three fiscal years, the Company has not experienced any material cybersecurity incidents, and expenses incurred from cybersecurity incidents were immaterial. For a discussion of whether and how any risks from cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, refer to Item 1A. Risk Factors - "Risks Related to our Business, Operations and Strategy."

Cybersecurity Governance

The Board of Directors established its Risk Committee with specific responsibility for overseeing risks from cybersecurity threats, among other things. Our Vice President of Global Information Security provides the Risk Committee periodic reports on our cybersecurity risks and any material cybersecurity incidents. In addition, our cybersecurity team provides annual reports to our Board of Directors.

Our team of cybersecurity professionals is led day-to-day by our Vice President of Global Information Security who reports to our Chief Information Officer. Our Vice President of Global Information Security has a combined 20 years of experience in IT operations and cybersecurity leadership. The Vice President of Global Information Security also serves as the Chair of our Enterprise Risk and Compliance Committee where leaders from across the Company discuss cyber risk and other risk matters. The cybersecurity team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants.

21


Our cybersecurity team also monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, which may include briefings with internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in the information technology environment.