LEAR CORP - (LEA)

10-K Filing Date: February 08, 2024
ITEM 1C – CYBERSECURITY
Risk Management and Strategy
We have implemented and maintain multiple layers of physical, administrative and technical security processes designed to protect our manufacturing facilities from disruptions that may result from cybersecurity incidents, as well as safeguard the confidentiality of our critical systems, and data residing on those systems, including employee data, customer data and intellectual property. Our risk assessment and management of material risks from cybersecurity threats is integrated into our overall enterprise risk management process, as well as our information systems processes. Our strategy includes regular formal risk assessments, dynamic risk and threat analysis, utilization of security tools, regular cybersecurity-related tabletop and phishing exercises designed to simulate cybersecurity incidents, and frequent security awareness and technical security trainings. We conduct periodic internal and third-party assessments to evaluate our cybersecurity posture and test and assess our incident response program, incident roles and responsibilities, material impact evaluation, and decision-making processes in the event of a cybersecurity incident. We use our risk and security assessments to enhance our information security capabilities. We also have an internal employee network of hundreds of security awareness ambassadors from diverse functions throughout our global locations who inform our personnel concerning threat awareness and cybersecurity risk mitigation. 
Depending on the environment, we implement and maintain various technical, physical and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our information systems and data, including an incident response policy, plan, procedures and scenario-based playbooks, an incident detection and response program, a vulnerability management program, disaster recovery and business continuity plans, risk assessment processes, security standards, network security controls, access controls, systems monitoring, employee awareness training and cybersecurity insurance. We have obtained Trusted Information Security Assessment Exchange (TISAX) certification labels at multiple global locations.
Our internal information security team oversees and works collaboratively with various information security service providers. Our cybersecurity program incorporates external guidance and expertise through the use of third-party service providers to assist in the identification, assessment and management of risks specific to cybersecurity threats, including vendors providing threat intelligence, risk mitigation, dark web monitoring, external scanning and scoring, threat and reputation monitoring, forensics, cyber-insurance, advisory services and legal counsel. We use a managed security service provider to augment our internal information security team and to provide additional monitoring capabilities. We also have a vendor management program addressing cybersecurity risk associated with application providers, hosting services and information technology support services we may retain. This program includes security questionnaires, review of vendor security programs, review of security assessments and assurance reports, vulnerability scans, and direct inquiries and collaboration with our vendors’ security personnel. Our vendor management process involves different levels of assessment depending on the services provided by the vendor, the sensitivity of the related information systems and data, and the identity of the provider. It is designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider.
We have an incident response plan that includes scenario-based playbooks for managing cybersecurity incidents and associated crisis communication procedures designed to facilitate coordination across the Company and with our partners, customers, the public and others.
For the year ended December 31, 2023, there have been no risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. For a description of risks related to our information technology systems, including cybersecurity threats, see Item 1A, "Risk Factors."
In addition, we have product cybersecurity risk assessment and management processes in place within our E-Systems business, where our products are more susceptible to cybersecurity threats, that align our internal policies, standards and development practices with customer requirements and industry standards, including the International Organization for Standardization ("ISO") 21434 control framework specific to road vehicle cybersecurity engineering. We received our ISO 21434 Road Vehicle Cybersecurity Engineering certification in 2023.
Governance
Our Board of Directors (the "Board") addresses our cybersecurity risk management as part of its general oversight function. The Audit Committee of the Board (the "Audit Committee") is responsible for overseeing our cybersecurity risk management processes, including our assessment and mitigation of material risks from cybersecurity threats. The Audit Committee receives regular reports, summaries or presentations related to cybersecurity threats, risk, mitigation and related processes from the Chief Information Officer ("CIO") and Chief Information Security Officer ("CISO"). In addition, on at least an annual basis, the Board receives reports, summaries or presentations related to cybersecurity threats, risk, mitigation and related processes.
Our cybersecurity risk assessment and management processes are implemented and maintained by our CIO and CISO, who are supported by other members of management, as necessary. Our CIO and CISO are responsible for approving budgets,
29

cybersecurity incident preparedness, approving cybersecurity processes, reviewing security assessments and other security-related reports, and providing the Chief Financial Officer ("CFO") with regular updates on cybersecurity-related matters. Our CIO has served in this role for three years and has more than 28 years of relevant experience, including previous roles as the CIO for two companies and the divisional information technology leader for two companies. Our CISO, who reports to the CIO, has served in this role for two years and has more than 28 years of relevant experience, including a focus on information security and cybersecurity for the last 15 years. Our CISO was previously the CISO for another automotive supplier. In addition, our CISO is very engaged in the cybersecurity community through current and past involvement with organizations such as the chair of General Motors Supplier Automotive Community and a member of Automotive Information Sharing and Analysis Center, Michigan Infragard, Domestic Security Alliance Council and the European Association of Automotive Suppliers cybersecurity workgroup. In addition, we have an information security team comprised of dozens of employees dedicated to cybersecurity with extensive experience and relevant certifications. The CIO and CISO are responsible for hiring appropriate personnel, assisting with the integration of cybersecurity risk considerations into our overall risk management strategy, communicating key priorities to relevant personnel, and mitigating and remediating in the event of a cybersecurity incident. Our product cybersecurity risk assessment and management processes are implemented and maintained by E-Systems management, including the Division President; Vice President of Global Strategy, Product Management and Electronics Engineering; and Vice President of Product Integrity and Technology. Our product security team within our E-Systems business consists of a team of employees dedicated to product cybersecurity engineering.
Our cybersecurity incident response and vulnerability management programs are designed to escalate certain cybersecurity incidents to various levels of management depending on the circumstances, including our CIO, CISO, General Counsel, Division Presidents, CFO and/or Chief Executive Officer (collectively, "Senior Management") and, in the instance of product cybersecurity, our E-Systems Safety Committee. Senior Management works with our incident response team to help mitigate and remediate certain escalated cybersecurity incidents. In addition, our incident response and vulnerability management programs include reporting certain cybersecurity incidents to the Audit Committee and, in certain circumstances, to the Board.