INTERFACE INC 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

INTERFACE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 17:31:26 EST.

Filings

10-K filed on 2026-02-25

INTERFACE INC filed a 10-K at 2026-02-25 17:31:26 EST
Accession Number: 0000715787-26-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management Strategy Assess, Identify and Manage Material Risks from Cybersecurity Threats Interface has implemented processes designed to identify, assess, and manage material risks from cybersecurity threats. These processes are integrated into our broader enterprise risk management framework and are intended to enable ongoing evaluation of cybersecurity risks that could impact our business, operations, or financial condition. They include activities aimed at protecting sensitive and personal data from unauthorized access, disclosure, or misuse. Cybersecurity risks are assessed through a combination of internal evaluations, risk assessments, and monitoring of the evolving threat environment. Identified risks are prioritized based on their potential impact and likelihood, and management develops and implements risk mitigation strategies accordingly. Use of Cybersecurity Frameworks and Standards Our cybersecurity program is informed by recognized industry frameworks and standards. Interface currently uses the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) to guide its cybersecurity activities, capabilities, and reporting to management and the Board of Directors. We also periodically evaluate additional frameworks and standards, including International Organization for Standardization (ISO) 27001, as part of our ongoing efforts to strengthen our cybersecurity governance and risk management practices. Engagement of Third Parties Interface's cybersecurity risk management processes include consideration of risks associated with third-party service providers, suppliers, and other business partners. We evaluate cybersecurity risks associated with third parties in connection with onboarding and, where appropriate, through periodic reassessments. These processes may include contractual requirements, risk assessments, and other measures designed to address cybersecurity risks arising from third-party relationships. Cybersecurity Incident Management Interface maintains an incident response program designed to identify, respond to, and recover from cybersecurity incidents in a timely manner. This program includes defined procedures and thresholds for incident escalation, internal coordination, and communication with relevant stakeholders. In the event of a material cybersecurity incident, the Company would assess the incident's impact and make disclosures as required by applicable laws and regulations. On November 20, 2022, we discovered a cybersecurity attack, perpetrated by unauthorized third parties, affecting our IT systems. In response to this Cyber Event, we notified law enforcement and took steps to supplement existing security monitoring, including scanning and protective measures. The investigation of the Cyber Event was completed during fiscal year 2023. A more detailed discussion of the Cyber Event can be found in Item 7 entitled "Management's Discussion and Analysis of Financial Condition and Results of Operations" of this Annual Report on Form 10-K. Based upon the information that we have as of the end of the year covered by this Annual Report, we do not believe that any risks from cybersecurity threats, including the Cyber Event described above, have materially affected Interface, including our business strategy, results of operations, or financial condition. However, cybersecurity threats are evolving and increasing in sophistication, and the preventative actions we have taken, and continue to take, to reduce the risk of cybersecurity threats and incidents may not successfully protect against all such threats and incidents, and, as a result, there can be no assurance that we or the third parties we interact with will not experience a cybersecurity event in the future that will materially affect the Company, including its business strategy, results of operations, or financial condition. For additional information regarding cybersecurity risks, see "Risk Factors" in Item 1A of this Annual Report on Form 10-K. System Resilience, Availability, and Recovery Interface maintains business continuity and disaster recovery plans designed to support the availability and resilience of its information systems and operations in the event of a cybersecurity incident or other disruptive event. The disaster recovery plans are reviewed and tested annually, and we take steps to incorporate lessons learned from testing activities and industry events into our resilience planning. Ongoing Monitoring and Continuous Improvement Our cybersecurity program includes ongoing monitoring and evaluation activities designed to support the effectiveness of our controls and processes. These activities include security monitoring, vulnerability assessments, and penetration testing conducted internally and by engaged third-party cybersecurity consultants and assessors. Interface also engages external specialists, as needed, to assist with incident response, forensic investigations, and independent assessments of our cybersecurity program. Interface also provides annual and monthly security awareness training to digitally enabled employees designed to promote responsible use of information systems and to reduce the risk of cybersecurity incidents. Management uses the results of these activities to inform enhancements to the Company's cybersecurity program and to address emerging risks. Governance and Oversight The Board of Directors has delegated oversight of Interface's cybersecurity risk management to the Audit Committee of the Board of Directors. The Audit Committee is comprised of board members with diverse experience and expertise to effectively oversee risk, although none of them are cybersecurity experts. The Audit Committee receives quarterly updates from management regarding cybersecurity risks, threat environment developments, and the Company's cybersecurity posture through our enterprise risk management process. Our Chief Information Officer reports directly to the Chief Executive Officer and is responsible for the ongoing management of our cybersecurity program, including the identification and evaluation of risks and the implementation of risk mitigation strategies to maintain a strong cybersecurity posture. Our Chief Information Officer, in his capacity, regularly informs the Audit Committee (typically twice per year) and the full board (typically once per year) on all aspects related to cybersecurity risks, as well as any remediation efforts in response to a cybersecurity incident. The Chief Information Officer works in coordination with leaders across information technology, legal, risk management, compliance, and operations to ensure a comprehensive approach to cybersecurity risk management. Our Chief Information Officer has over twenty-five years of diverse experience aligning information technology strategies to business objectives at global companies.

Company Information