Floor & Decor Holdings, Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Floor & Decor Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:21:18 EST.

Filings

10-K filed on 2024-02-22

Floor & Decor Holdings, Inc. filed an 10-K at 2024-02-22 16:21:18 EST
Accession Number: 0001507079-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Cybersecurity is the responsibility of our information security team, overseen by our Chief Information Security Officer ( CISO ). Our CISO reports to our Chief Information Officer ( CIO ), and our CISO and CIO regularly meet with our General Counsel to review cybersecurity risks, and evaluate their nature and severity, as well as identify potential mitigation and assess the impact of those mitigations on residual risk. Our enterprise risk management program also considers cybersecurity risks, including risks associated with our use of third-party service providers, alongside other company risks, and as part of these efforts, we gather information necessary to identify cybersecurity risks, and evaluate their nature and severity, as well as identify mitigations and assess the impact of those mitigations on residual risk. Our enterprise risk management program is reviewed annually with our Board. We maintain a system of data protection and cybersecurity resources, technology, and processes. We regularly evaluate new and emerging risks and ever-changing legal and compliance requirements. We make strategic investments to address these risks and compliance requirements. We also perform annual and ongoing cybersecurity awareness training, which includes regular simulated phishing campaigns. We also run tabletop exercises, including with external advisors, to simulate a response to a cybersecurity incident, and we use the findings to improve our practices, procedures, incident response plan, and technologies. In the event of a cybersecurity incident, we have worked with external advisors to develop an incident response plan, which provides guidelines for responding to an incident and facilitates coordination across multiple parts of our Company. The incident response plan includes a procedure for notifying the CISO and CIO of any incident as well as a procedure for reporting any material incidents to the Audit Committee of our Board (the Audit Committee ) and Board as appropriate. Our cybersecurity risk program is structured according to the National Institute of Standards and Technology (NIST) Cybersecurity framework. This program includes multiple layers of security controls, including network segmentation, security monitoring, endpoint protect, and identity and access management. The Company annually engages third parties to advise and assess the Company s cybersecurity programs, including to engage in penetration testing. The results of these assessments are reported to the CISO and our CISO, in consultation with our CIO and General Counsel, use the findings to improve our practices, procedures, and technologies. A summary of our cybersecurity efforts is reported to the Audit Committee, which has primary responsibility for oversight and review of guidelines and policies with respect to risk assessment and risk management, including cybersecurity, regularly. Our Board also receives periodic updates relating to information security and cybersecurity risks. We have also purchased cyber liability insurance to provide a level of financial protection against the potential losses arising from a cybersecurity incident. However, there is no assurance that our insurance coverage will cover or be sufficient to cover all losses or claims that may result from a cybersecurity incident. Our CISO, CIO, and General Counsel collectively have over 35 years of business experience managing risks from cybersecurity threats and developing and implementing cybersecurity policies and procedures. Team members who support our information security program have relevant educational and industry experience. In the last three fiscal years, we have not experienced a material information security breach incident and the expenses we have incurred from information security breach incidents have been immaterial, and we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business. However, future incidents could have a material impact on our business strategy, results of operations, or financial condition. For additional discussion of the risks posed by cybersecurity threats, see Risk Factors Risks Related to our Business If our efforts to protect the privacy and security of information related to our customers, us, our associates, our suppliers and other third parties are not successful, we could become subject to litigation, investigations, liability and negative publicity that could significantly harm our reputation and relationships with our customers and adversely affect our business, financial condition, and operating results. and Risk Factors Risks Related to our Business A material disruption in our information systems, including our website or call center, could adversely affect our business or operating results and lead to reduced net sales and reputational damage. in Part 1 of this Annual Report. 25 Table of Contents

Company Information