TEMPUR SEALY INTERNATIONAL, INC. - (TPX)

10-K Filing Date: February 16, 2024
ITEM 1C. CYBERSECURITY

Cybersecurity Incident Impact

We have experienced, and expect to continue to experience, cyber threats and incidents. As previously disclosed, on July 23, 2023, we experienced a cybersecurity incident affecting certain of our data and IT systems. As a result of the cybersecurity incident, we incurred $14.3 million of costs in connection with this event. Following a forensic investigation in connection with the incident, we concluded there was no material impact to our financial results for the year ended 2023.

We also implemented additional security measures following the incident, such as stronger privileged access policies and enhanced and expanded multi-factor authentication to help prevent unauthorized access to our systems. We face ongoing risks from certain cybersecurity threats, and we cannot provide assurance that, if those risks materialize, our business strategy, results of operations or financial condition will not be materially affected in the future. See "Risk Factors" in ITEM 1A of this Annual Report on Form 10-K for more information on our cybersecurity related risks.

Risk Management and Strategy

Enterprise Risk Management. We utilize an enterprise risk management process undertaken on an ongoing basis pursuant to which we seek to identify various enterprise risks related to product safety and regulatory, global environmental exposure, site environmental matters, IT system interruption and cybersecurity, supply chain matters, business continuity, health and safety incidents, and other matters. We have an enterprise risk management group that manages this process, which includes our executive leadership team. Their activities include assessing the risks, prioritizing the risks, measuring the risks, implementing mitigation plans, and auditing the results.

Cybersecurity Risk Management. We maintain a comprehensive process for assessing, identifying and managing material risks from cybersecurity threats, including risks relating to disruption of business operations or financial reporting systems, intellectual property theft; fraud; violation of privacy laws and other litigation and legal risk; and reputational risk, as part of our overall risk management system and processes. We address cybersecurity risks and threats through a strategic program based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Our dedicated cybersecurity team oversees and implements our cybersecurity management program, compliance with applicable legal and third-party data protection and data privacy requirements, and our incident response and crisis management plans.

Incident Response and Recovery Planning. We have established an information security policy and incident response and crisis management plans. We continue to regularly test and evaluate the effectiveness of those plans. Our incident response and crisis management plans address and guide our employees, management and the Board on our response to a cybersecurity incident.

Education and Awareness. Our cybersecurity team provides ongoing information security awareness education, including simulated phishing training, and cybersecurity training for our employees.

External Advisors. We, along with our Board and its committees, engage outside advisors where appropriate to assist in the identification, oversight, evaluation and management of the risks facing our business, including cybersecurity risks. Advisors may be engaged either on a regular basis to inform the Board or management of ongoing risks, or occasionally to advise on specific topics. Such advisors include law firms, cybersecurity experts and other consultants.

External Assessments. Our cybersecurity policies, standards, processes and practices are regularly assessed by consultants. Cybersecurity processes are adjusted based on the information provided from these assessments. In addition to annual attack and vulnerability testing, we engage a third-party cybersecurity provider for managed detection and response and as a managed security operation center.

Governance

Board Oversight. Our Board of Directors is ultimately responsible for overseeing and reviewing with management the Company’s cybersecurity risks and the policies and practices established to manage such risks. In that effort, the Board delegates these responsibilities to the Audit Committee. The Audit Committee receives a cybersecurity update at each of its quarterly meetings from our Senior Vice President, Chief Information Officer ("CIO") or management. These updates address a range of topics, including updates on technology trends, policies and practices, and specific and ongoing efforts to prevent, detect and respond to internal and external critical threats.
12

Management's Role. Our CIO, as the leader of our IT organization, is responsible for executing enterprise, product and manufacturing cybersecurity programs with a focus on security architecture, vulnerability testing, cyber risk management, incident response, vulnerability management, intelligence, awareness and training and governance. Our CIO and IT management team meet regularly to develop and oversee strategies to protect our data, systems and technology across the organization. These strategies include reviewing security performance metrics, identifying security risks and assessing the status of approved security enhancements. Our CIO receives regular updates from our IT management team on cybersecurity matters, results of mitigation efforts and cybersecurity incident response and remediation. The IT organization also makes recommendations on security policies and procedures, security service requirements and risk mitigation strategies.

Our CIO has worked in the information technology industry since 1997 and has led our IT function since 2016. The IT management team responsible for developing and executing our cybersecurity policies is comprised of individuals with extensive experience working in the fields of information technology and cybersecurity, formal education and degrees in information technology and cybersecurity and industry certifications such as Certified Information Systems Security Professional, Certified Information Security Manager and Certified Information System Auditor. Our CIO and IT management team also receive regular training and education on cybersecurity-related topics.