LENNOX INTERNATIONAL INC - (LII)

10-K Filing Date: February 13, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

We manage cybersecurity risk through three core teams: cybersecurity engineering, data privacy, and a security operation center. These teams are responsible for overseeing data safety during new system and infrastructure deployments, maintaining appropriate cybersecurity controls, and monitoring, documenting and investigating any anomalies affecting employees, suppliers, and customers. Our IT security controls are designed to align with the NIST (National Institute of Standards and Technology) standard and are tested on an ongoing basis. These controls and procedures include cybersecurity risks associated with third-party service providers. For instance, we conduct risk and compliance assessments of third-party service providers that request access to our information assets. To support our internal risk management structure, we use third-party specialists to monitor for emerging threats, conduct vulnerability scans and analysis including simulated hacker attacks, and audit our cybersecurity framework. We also maintain an information security risk insurance policy in the event of a security breach. Our internal audit function provides independent assessment and assurance on the overall operations of our cybersecurity programs and the supporting control frameworks.

Leadership receives training on how to respond to ransomware events and participates in breach simulations at least once a year. Additionally, employees throughout the organization support LII’s risk management efforts by participating in mandatory cybersecurity training at least once a year, ongoing awareness campaigns, and quarterly simulated phishing attempts.
LII has not experienced any material cybersecurity incidents within the last three years. However, as described in Item 1A, “Risk Factors,” any breach of data security could result in a disruption of our services or improper disclosure of personal data or confidential information, which could harm our reputation, require us to expend resources to remedy such a security breach or defend against further attacks or subject us to liability under laws that protect personal data, resulting in increased operating costs or loss of revenue.

14


Governance

Our Chief Technology Officer is responsible for overseeing cybersecurity and reports to the Board of Directors twice a year on our cybersecurity tactical responses and strategic roadmap. The entire Board of Directors reviews significant cybersecurity risks and works with the Audit Committee to address these issues.

At the management level, our Data Protection & Cybersecurity Steering Committee (“DPCSC”) meets on a quarterly basis. The DPCSC includes representatives from communications, ethics and compliance, human resources, information technology, corporate audit, legal, risk, privacy, and sourcing. This committee is responsible for overseeing LII’s data protection and cybersecurity policies and procedures. These cybersecurity policies and procedures include an IT security and privacy incident response plan to notify the appropriate parties in a timely manner, including our Chief Technology Officer, our Disclosure Committee, and our Board of Directors.

Our Chief Technology Officer has served in the role since 2008, and has more than 15 years of experience in developing and executing large enterprise data privacy and cyber security roadmaps at publicly-traded companies. He holds undergraduate and graduate degrees in engineering. Our Vice President, Information Technology, has served in the role since 2003, and has more than 35 years of cybersecurity experience. He holds an undergraduate degree in computer science.
15