BRUNSWICK CORP - (BC)

10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity

Brunswick’s leadership recognizes the importance of information security and managing cybersecurity risks across the enterprise. We manage our global business operations through a variety of systems for commercial transactions, customer interactions, manufacturing, branding, employee tracking, and other applications. Systems based on legacy technology, sometimes added through acquisitions or hosted by third parties, and/or that contain personal information of customers or employees, present risks of erroneous or fraudulent transactions, disclosure of personal, sensitive, and confidential information, loss of reputation and confidence, potential impacts on our operations, and may result in legal claims or proceedings, penalties, and remediation costs. Our mature cybersecurity program has been strategically designed to assess, identify, and manage these cyber risks, protect the organization, respond to, and recover from cybersecurity incidents.

Brunswick’s Board of Directors (the Board) and its committees are actively engaged in managing cybersecurity risk and overseeing our information security programs. The Audit and Finance Committee (the Committee) is primarily responsible for oversight of Brunswick’s information technology and information security/cybersecurity programs. The Committee is composed of directors with expertise in technology, audit, finance, and compliance, equipping them to effectively oversee the program. The Chief Information Officer (CIO) and/or Chief Information Security Officer (CISO) update the Committee at each of its regularly scheduled meetings. These reports include updates on the Company’s cybersecurity programs and key performance indicators; assessment of the program; emerging risks; policies, procedures, and training; and risk mitigation strategies. The CIO and CISO also provide the full Board with information technology and cybersecurity reports on at least an annual basis and with greater frequency as necessary. In addition, the Board oversees Brunswick’s long-standing enterprise risk management (ERM) process, which regularly identifies, assesses, and mitigates enterprise and emerging risks, including cyber risks.

The underlying controls of our cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). A dedicated Office of the CISO, which reports to the CIO, is responsible for developing enterprise-wide cybersecurity strategy, architecture, policies, processes, and controls, and is directly responsible for our cybersecurity program. Our cybersecurity team members have extensive information technology and program management experience. The CIO and/or CISO personnel regularly inform the Chief Executive Officer (CEO) and other members of senior management about the program, best practices, current cybersecurity threats, the risk landscape, and mitigation approaches.

We use various tools and methodologies to identify, manage, and test for cybersecurity risk on a regular cadence both at the enterprise level and using third party service providers. These third parties include cybersecurity managed security service providers (MSSPs), consultants, advisors, and auditors, who we engage to evaluate our controls, whether through penetration testing, independent audits, or consulting on best practices to address new threats or challenges. We also actively engage with key vendors, industry participants, and law enforcement communities as part of our continuing efforts to evaluate and improve our program. Internally, our employees are a key part of our program. All employees are required to complete cybersecurity training at least once every year, and employees in certain roles must complete additional, specialized cybersecurity training on a regular basis.

Our regular interactions with third party vendors and suppliers also pose a cybersecurity risk that could adversely impact our business or employees. We conduct information security assessments before onboarding and upon detection of an increase in risk profile. In addition, we require providers to meet appropriate security requirements, controls and responsibilities and include additional security and privacy addenda to our contracts where applicable. We also make available cybersecurity education and awareness materials to our suppliers.

The Office of the CISO continually works to enhance our robust enterprise security structure with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur. We have an established playbook to promptly detect, assess, and respond to cyber incidents. Depending on the nature and severity of an incident, this process provides for escalating notification to functional leaders, senior management, our CEO, and the Board.

25

Table of Contents
On June 13, 2023, Brunswick disclosed an IT security incident that impacted some systems and global facilities. We activated our response protocols, including pausing operations in some locations, engaging leading security experts, and coordinating with relevant law enforcement agencies. Normal global business operations resumed over the course of nine days following the incident. We estimate the incident resulted in lost revenue of approximately $80 million to $85 million and operating earnings of $35 million to $40 million. To date, Brunswick has not identified any other cyber event or risks from cybersecurity threats that could be considered material, individually or in the aggregate.

Notwithstanding our vigilant cybersecurity program, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. For further information, refer to Section 1A, Risk Factors, for a discussion of risks related to cybersecurity and technology.

26

Table of Contents