LEGGETT & PLATT INC 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

LEGGETT & PLATT INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 15:13:38 EST.

Filings

10-K filed on 2026-02-26

LEGGETT & PLATT INC filed a 10-K at 2026-02-26 15:13:38 EST
Accession Number: 0000058492-26-000107

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We rely on information systems to obtain, process, analyze, and manage data, as well as to facilitate the manufacture and distribution of inventory to and from our facilities. We receive, process, and ship orders, manage the billing of and collections from our customers, and manage the accounting for and payment to our vendors. We also manage our production processes with certain industrial control systems. Consequently, we are subject to cybersecurity risk. From time to time, we have experienced immaterial cybersecurity threats and incidents. When these threats and incidents have occurred, we have taken appropriate remediation steps and, through investigation, PART I determined that the threats or incidents did not have a material effect on our business, results of operations, or financial results. Cybersecurity Risk Management and Strategy We have processes in place for assessing, identifying, and managing material risks from cybersecurity threats and incidents, which is based on industry-recognized frameworks and takes a multifaceted approach to protecting our network, systems, and data, including personal information. To prevent cybersecurity incidents, we deploy a wide range of protective security technologies and tools, including, but not limited to, encryption, firewalls, endpoint detection and response, security information and event management, multi-factor authentication, and threat intelligence feeds. To maintain the effectiveness of this framework, we conduct periodic real-world simulation exercises to test, educate, promote awareness, and identify any refinements needed. Cybersecurity threats are identified, assessed, and monitored by our Security Operations Center, which is staffed with cybersecurity professionals who report to the Senior Cyber Security Operations Manager who reports directly to the Company's Chief Information Security Officer (CISO) , and includes resources provided by external vendors to cover continuous monitoring and remediation. When a cybersecurity threat or incident meets certain categorized thresholds, as determined by our Cybersecurity Incident Response Plan, we follow an escalation review process which can result in our CISO forwarding the threat or incident to our cybersecurity crisis response team consisting of our CEO, CFO, CHRO, CIO, and General Counsel (the "Crisis Response Team"). Our CISO and the Crisis Response Team, pursuant to guidance from our CISO, assess and manage our response to cybersecurity threats and incidents. Our CISO follows a risk-based escalation process to notify our General Counsel of certain cybersecurity threats and incidents, and our General Counsel analyzes our obligation to report any incident publicly. If the General Counsel determines disclosure is warranted, she reports this conclusion to the CISO, the Crisis Response Team, and the Company's Public Disclosure Committee for consideration and disclosure. We have integrated cybersecurity risk into our overall enterprise risk management (ERM) process. Pursuant to the ERM process, cybersecurity risk is evaluated for likelihood, significance, and velocity on a semiannual basis by designated risk owners . The risk owners consist of a cross-functional group of leaders, led by our CISO. Based on the ERM analysis, we adjust, if necessary, our process for the identification, assessment, and monitoring of cybersecurity threats and incidents. We engage third parties in connection with our cybersecurity identification, assessment, and response processes, including to periodically benchmark our cybersecurity program against the National Institute of Standards and Technology's Cybersecurity Framework. We also maintain active retainers with certain third parties that can be engaged in the event of a cybersecurity threat or incident. We have established a process to oversee and identify risks and cybersecurity threats associated with our third-party service providers, which includes the use of monitoring technology. We also survey certain third-party providers regarding their security controls. Although we have not experienced any material cybersecurity incidents, because of past immaterial cybersecurity threats and incidents, and what we have learned in responding to those threats, we have increased our cybersecurity program-enhancement efforts, including stronger protective controls. As of the date of this report, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected us, including our business strategy, results of operations, or financial condition. However, for a discussion of risks from cybersecurity threats that could materially affect our business strategy, results of operations, or financial condition, see Item 1A. Risk Factors - Information technology failures, cybersecurity incidents, or new technology disruptions could have a material adverse effect on our operations on page 22, which is incorporated by reference into this Item 1C. Cybersecurity Governance Our Board has oversight of all cybersecurity threats and incidents. On a quarterly basis, and more often if warranted, the Company's CIO, or the CFO in coordination with the CIO, each after consultation with the CISO, reports to the full Board any potentially material cybersecurity threat or incident and our activities monitoring the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents. Our CISO and the Crisis Response Team, pursuant to guidance from our CISO, assess, identify, and manage material risks from cybersecurity threats and incidents, as described above under Cybersecurity Risk Management and Strategy . The CISO has served in this role since October 2024, and has over 20 years of PART I professional experience in identifying, evaluating, and responding to cybersecurity threats and incidents. Our CISO holds a Bachelor of Science degree from DeVry University, Addison, Illinois, a Masters in Business Administration from Western Governors University, is a Certified Information Systems Security Professional (CISSP), a GIAC Certified Incident Handler (GCIH), and holds a GIAC Certification in Strategic Planning, Policy and Leadership. Members of the Crisis Response Team have extensive work experience in systems and programming, auditing, compliance and privacy laws, financial controls and procedures, and operations management. With the assistance of the CISO, along with our internal cybersecurity and information technology professionals and our third-party cybersecurity consultants and advisors, the Crisis Response Team is charged with the responsibility of preventing, detecting, mitigating, and remediating cybersecurity threats and incidents. Although we have purchased broad form cyber insurance coverage and strive to provide a balanced level of cybersecurity protections, cybersecurity risk has increased due to growing sophistication of cybersecurity adversaries, as well as the increased frequency of cybersecurity attacks, including malware. As such, information technology failures or cybersecurity breaches could still create system disruptions or unauthorized disclosure or alterations of confidential information and disruptions to the systems of our third-party suppliers and providers. We cannot be certain that the attacker's capabilities will not compromise our technology protecting information systems or bypass our detection capabilities, including those resulting from ransomware attached to our industrial control systems. If these systems are materially interrupted or damaged by any incident or fail for any extended period of time, then our results of operations could be adversely affected. We may incur remediation costs, increased cybersecurity protection costs, ransom payments, lost revenues resulting from unauthorized use of proprietary information, litigation and legal costs, increased insurance premiums, reputational damage, damage to our competitiveness, and negative impact on our stock price and long-term shareholder value. We may also be required to devote significant management resources and expend significant additional resources to address problems created by any such interruption, damage, or failure. For more information regarding cybersecurity risks, refer to Item 1A. Risk Factors - Information Technology and Cybersecurity Risk Factors on page 22.
Item 1C. Cybersecurity on page 26. NEW ACCOUNTING STANDARDS The FASB has issued accounting guidance effective for current and future periods. See Note A on page 81 of the Notes to Consolidated Financial Statements for a more complete discussion. Item 7A. Quantitative and Qualitative Disclosures About Market Risk. (Unaudited) (Dollar amounts in millions) Interest Rates The table below provides information about our debt obligations sensitive to changes in interest rates. Substantially all of the debt shown in the table below is denominated in U.S. dollars. The fair value of fixed rate debt was approximately $175.0 million less than carrying value of $1,490.0 million at December 31, 2025 and approximately $245.0 million less than carrying value of $1,488.3 million at December 31, 2024. The fair value of the fixed rate debt was based on quoted prices in an active market. The fair value of variable rate debt is not materially different from its recorded amount. Long-term debt as of December 31, Scheduled Maturity Date 2026 2027 2028 2029 2030 Thereafter 2025 2024 Principal fixed rate debt $ - $ 500.0 $ - $ 500.0 $ - $ 500.0 $ 1,500.0 $ 1,500.0 Average stated interest rate - 3.50 % - 4.40 % - 3.50 % 3.80 % 3.80 % Principal variable rate debt - 1.8 - - 2.0 - 3.8 3.8 Unamortized discounts and deferred loan costs . (10.0) (11.7) Commercial paper 1 - 368.0 Miscellaneous debt and finance leases 3.9 4.0 Total debt 1,497.7 1,864.1 Less: current maturities 1.5 1.3 Total long-term debt $ 1,496.2 $ 1,862.8 1 The weighted average interest rate for the average net commercial paper outstanding activity during the years ended December 31, 2025 and 2024 was 5.0% and 5.6%, respectively. Derivative Financial Instruments We are subject to market and financial risks related to interest rates and foreign currency. In the normal course of business, we utilize derivative instruments (individually or in combinations) to reduce or eliminate these risks. We seek to use derivative contracts that qualify for hedge accounting treatment; however, some instruments may not qualify for hedge accounting treatment. It is our policy not to speculate using derivative instruments. Information regarding cash flow hedges and fair value hedges is provided in Note A beginning on page 81 and Note R beginning on page 120 of the Notes to Consolidated Financial Statements and is incorporated by reference into this section. PART II Investment in Foreign Subsidiaries We view our investment in foreign subsidiaries as a long-term commitment, and it can vary based on operating cycles and currency rate fluctuations. This investment may take the form of either permanent capital or notes. Our net investment (i.e., total assets less total liabilities subject to translation exposure) in foreign operations with functional currencies other than the U.S. dollar at December 31 is as follows: Functional Currency (amounts in millions) 2025 2024 European Currencies 1 $ 607.7 $ 396.5 Chinese Yuan 338.7 267.2 Canadian Dollar 207.4 208.9 Mexican Peso 72.5 71.4 Other 88.9 78.8 Total $ 1,315.2 $ 1,022.8 1 The increase in 2025 is due to the gain on our Aerospace Products Group (see Note S to the Consolidated Financial Statements on page 121). Item 8. Financial Statements and Supplementary Data. The Consolidated Financial Statements and Notes and Financial Statement Schedule included in this Report are listed and included in Item 15 on page 72, and are incorporated by reference into this item. Item 9. Changes in and Disagreements With Accountants on Accounting and Financial Disclosure. None. Item 9A. Controls and Procedures. Effectiveness of the Company's Disclosure Controls and Procedures An evaluation as of December 31, 2025, was carried out by the Company's management, with the participation of the Company's Chief Executive Officer and Chief Financial Officer, of the effectiveness of the Company's disclosure controls and procedures (as defined in Rule 13a-15(e) under the Securities Exchange Act of 1934, as amended (the "Exchange Act")). Based upon this evaluation, the Chief Executive Officer and Chief Financial Officer have concluded the Company's disclosure controls and procedures were effective, as of December 31, 2025, to provide assurance that information required to be disclosed by the Company in the reports that it files or submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified by the Securities and Exchange Commission's rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by the Company in the reports that it files or submits under the Exchange Act is accumulated and communicated to the Company's management, including its Chief Executive Officer and Chief Financial Officer, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure. Management's Annual Report on Internal Control over Financial Reporting and Auditor's Attestation Report Management's Annual Report on Internal Control over Financial Reporting can be found on page 73, and the Report of Independent Registered Public Accounting Firm regarding the effectiveness of the Company's internal control over financial reporting can be found on page 74 of this Form 10-K. Each is incorporated by reference into this Item 9A. Changes in the Company's Internal Control Over Financial Reporting There were no changes during the quarter ended December 31, 2025 that have materially affected, or are reasonably likely to materially affect, our internal control over financial reporting. Item 9B. Other Information. Director and Officer Trading Arrangements During the three months ended December 31, 2025, no director or officer (as defined in Rule 16a-1(f) under the Securities Exchange Act of 1934, as amended) of the Company adopted , modified, or terminated a "Rule 10b5-1 trading arrangement." The following elections made pursuant to the Company's Deferred Compensation Program (DC Program) and Executive Stock Unit Program (ESU Program) may be considered to constitute "non-Rule 10b5-1 trading arrangements." As such, we have disclosed them below. All elections were made at a time when the individual was not aware of material non-public information about the Company. The securities under the DC Program and the ESU Program are issued from the Company to the individual and no market transaction is involved. Elections were made pursuant to the DC Program, effective December 15, 2025, which deferred cash compensation that would have been earned from January 1, 2026 through December 31, 2026, into Company stock units convertible into Company common stock on a one-to-one basis. Angela Barbee (director), J. Tyson Hagale (EVP, President - Bedding Products), and R. Samuel Smith, Jr. (EVP, President - Specialized Products and Furniture, Flooring & Textile Products) elected to defer cash compensation into stock units. The number of stock units acquired under the DC Program is determined by taking the cash deferred and dividing it by 80% of the closing price of the Company common stock on the NYSE on the date the cash would have otherwise been paid. On December 4, 2025, Tammy M. Trent (SVP and CAO) elected to withdraw from participation in the ESU program beginning January 1, 2026. The number of stock units awarded in the ESU Program is determined by taking the amount of any Company matching contributions and dividend equivalent contributions and dividing it by 85% of the fair market value of the Company common stock on the date the cash would have otherwise been paid. 2026 Restructuring Plan Because we are filing this Annual Report on Form 10-K within four business days after the triggering event, we are making the following disclosure under this Item 9B instead of filing a Form 8-K under

Company Information