STEELCASE INC 10-K Cybersecurity GRC - 2024-04-12

Page last updated on April 14, 2024

STEELCASE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-12 13:38:09 EDT.

Filings

10-K filed on 2024-04-12

STEELCASE INC filed an 10-K at 2024-04-12 13:38:09 EDT
Accession Number: 0001050825-24-000060

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity: Risk Management and Strategy We use a combination of people, processes, and technologies to monitor and mitigate cybersecurity threats, which include end-point monitoring, vulnerability assessments and penetration testing. We leverage a variety of cybersecurity services, tools and techniques designed to identify and assess cybersecurity threats and take preemptive action to reduce and, where possible, eliminate the potential impacts. Our cybersecurity processes are based on the cybersecurity standards set by the Center for Internet Security and the National Institute of Standards and Technology ( NIST ). We regularly engage outside assessors and consultants to identify potential cybersecurity risks and suggest best practices. Our efforts to safeguard the confidentiality, integrity and availability of our systems and data, maintain regulatory compliance and manage our risk from cybersecurity threats include: maintaining a Security Operations Center to monitor and investigate activity that may be suspicious, staffing and managing a cybersecurity team to safeguard systems and applications, routinely auditing the security of critical information technology systems and services, and conducting regular training and simulations for all employees and contractors with access to our systems to enhance awareness and responsiveness to possible threats. We maintain a Cybersecurity Incident Response Plan, based on NIST s incident handling framework, to guide our response to cybersecurity threats. The plan includes procedures to triage, assess severity and remediate events in our information technology infrastructure. Annually, we engage third-party experts to conduct penetration testing inside our network. For data and information that is maintained for us outside our network, we conduct security and privacy assessments of vendors who hold sensitive data and manage critical platforms. We maintain written agreements that govern third-party access to our network and protection of our information, and we conduct annual reviews of appropriate access. We require our suppliers to agree to our Supplier Code of Conduct which includes cybersecurity requirements. We include the assessment of cybersecurity risk as part of our overall enterprise risk management strategy. Refer to Item 1A. Risk Factors under the heading " We rely on the integrity and security of our information technology systems, and our business could be adversely impacted by extended disruptions, significant security breaches or other compromises of these systems" for further information on the risks we face from cybersecurity threats. We believe that to date, such risks have not materially affected and are not believed to be reasonably likely to materially affect us, our business strategy, results of operations or financial condition. Governance The Audit Committee of our Board of Directors is responsible for the oversight of our cybersecurity risk management. At least twice per year, our Chief Technology Officer ( CTO ) and Chief Information Security Officer ( CISO ) provide a cybersecurity update to our Audit Committee, which includes the results of penetration testing, cybersecurity simulations and training, as well as key initiatives and the progress against those initiatives, updates on the changes in trends of cybersecurity threats and the steps management is taking to address cybersecurity risks. Our CTO and CISO manage our cybersecurity strategy. Our CTO has over 13 years of experience in information security and risk management and reports directly to our President and Chief Executive Officer. Our CISO has over 10 years of experience in information security and risk management, including at a federal law enforcement agency, and has a Master of Science degree in Cybersecurity. Our CTO and CISO lead our Cybersecurity Incident Response Plan management of cybersecurity incidents with a cross-functional team to assess the potential materiality of cybersecurity events and to report on the detection, analysis, containment and eradication of and recovery from such events. As the severity of events meet certain criteria, as specified by the Incident Response Plan, those events are escalated to senior levels of management and reported to our Disclosure Committee and the Audit Committee. Our Disclosure Committee is responsible for the oversight of controls and procedures related to the public disclosure of material cybersecurity incidents. 13 Table of Contents

Company Information