WHIRLPOOL CORP /DE/ - (WHR)

10-K Filing Date: February 14, 2024
ITEM 1C.CYBERSECURITY
Information Security Risk Management and Strategy
Our Board of Directors (“Board”) is responsible for overseeing risk management at Whirlpool, which is the responsibility of our Executive Vice President and Chief Financial Officer. Our risk management process is designed to identify, prioritize, and monitor risks that could affect our ability to execute our corporate strategy and fulfill our business objectives and to appropriately mitigate such risks.
As part of our risk management processes, we perform risk assessments in which we map and prioritize information security risks identified through the processes described above, including risks associated with our use of third-party service providers, based on probability, immediacy and potential magnitude. These assessments inform our risk mitigation strategies, which are reviewed regularly with the Board and management, and we view information security risks as one of the key risk categories we face. For example, our information technology and infrastructure has experienced and may in the future be vulnerable to cyberattacks (including ransomware attacks) or security incidents, and third parties have in the past and may in the future be able to access proprietary business information, and personal data that we collect, store and process. For more information regarding the information security-related risks we face, see the information in “Item 1A: Risk Factors” under the caption “We have been and may be subject to information technology system failures, network disruptions, cybersecurity attacks and breaches in data security, which may materially adversely affect our operations, financial condition and operating results”.
Our risk mitigation process assesses, prioritizes, and monitors information security risks and vulnerabilities and helps ensure risk mitigation efforts are embedded across our business. Among other things, our internal experts regularly conduct audits and tests of our information systems and our cybersecurity program is periodically assisted by established, independent third party consultants, who provide assistance through tabletop and other preparedness exercises. We also review information security threat information published by government entities and other organizations in which we participate and actively engage with suppliers, industry associations, key thought leaders and law enforcement communities as part of our continuous efforts to evaluate and enhance the effectiveness of our cybersecurity program. In 2022, we launched and required all salaried employees to complete a mandatory Global Cybersecurity and Privacy training, covering information security, end-user security policies, remote working, phishing and email security and digital threats. This training was enhanced with additional topics in 2023 around social media, social engineering, and breach response, among others. Additionally, we maintain regular publications on cyber awareness on our Company portal and conduct ongoing simulated phishing exercises. We use the findings from these and other processes to improve our information security practices, procedures and technologies. In 2023, we implemented additional management governance through the creation of a Global Cybersecurity and Data Privacy Steering Committee, which meets periodically to help ensure information security risks and vulnerabilities are being appropriately managed and mitigated. In addition, we maintain insurance to protect against potential losses arising from an information security incident.
While we have not yet experienced any material impacts from a cyber attack, any one or more future cyber attacks could materially adversely impact the Company, including a loss of trust among our customers and consumers, departures of key employees, general diminishment of our global reputation and financial losses from remediation actions, loss of business or potential litigation or regulatory liability. Further, evolving market dynamics are increasingly driving heightened cybersecurity protections and mandating cybersecurity standards for our products, and we may incur additional costs to address these increased risks and to comply with such demands.
In addition to the risk management processes identified above, Whirlpool also maintains active knowledge security and data privacy programs. Leveraging policies and governance, ongoing

31


training and awareness as well as strong controls and systems-based approaches, these programs help ensure that Whirlpool confidential information is protected and that the company complies with applicable data privacy and data protection laws in all countries where we do business.
Information Security Governance and Oversight
Our risk management process and information security risk mitigation framework enables our Board and management to establish a mutual understanding of the effectiveness of our information security risk management practices and capabilities, including the division of responsibilities for reviewing our information security risk exposure and risk tolerance, tracking emerging information risks and ensuring proper escalation of certain key risks for periodic review by the Board and its committees.
As part of its broader risk oversight activities, the Board oversees risks from information security threats, both directly and through the Audit Committee of the Board (the “Audit Committee”). As reflected in its charter, the Audit Committee assists the Board in its oversight of risk by periodically reviewing policies and guidelines with respect to risk assessment and risk management, including management reports on our processes to manage and report risks. As another element of its risk oversight activities, the Audit Committee receives reports quarterly from our Global Chief Information Officer (“CIO”) and Global Chief Information Security Officer (“CISO”) on the execution and effectiveness of our cybersecurity and privacy program, cybersecurity incidents, cyber resilience metrics and the global threat landscape. The Audit Committee also oversees our internal control over financial reporting, including with respect to financial reporting-related information systems.
Our CISO, who manages our cybersecurity program, reports to our CIO regularly on how certain information security risks are being managed and progress towards agreed mitigation goals, as well as any potential material risks from cybersecurity threats. The CIO and CISO discuss these matters with our Audit Committee who reports to the Board on the substance of its reviews and discussions. In addition to these discussions, each year our CIO and CISO present to our Board on cybersecurity related trends and program updates. Our CIO and CISO are also responsible for prioritizing risk mitigation activities and developing a culture of risk-aware practices with strong support from management. Both our CIO and CISO have extensive background and expertise in information security, having served in senior leadership positions in the information and information security spaces, respectively, for many years prior to joining Whirlpool.
The day-to-day monitoring, identification, and assessment of information security risks and incident response functions are managed centrally by our core cyber incident response team (the “CIRT”), which operationalizes our Cyber Incident Response Plan (the “Plan”). The Plan includes processes to triage, assess severity of, escalate, contain, investigate and remediate information security incidents, including those associated with our third-party service providers, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. Under the Plan, the CIRT may escalate matters as necessary to our CISO and CIO, Chief Legal Officer, and other senior leadership, depending on the severity classification of the incident.
In addition to the ordinary-course Board and Audit Committee reporting and oversight described above, we also maintain disclosure controls and procedures designed for prompt reporting to the Board and timely public disclosure, as appropriate, of material events covered by our risk management framework, including information security risks.

© 2024 Material-Incidents. All rights reserved.