|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 28, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|Sleep Number uses a “defense in depth” approach for its cybersecurity risk management program leveraging the
National Institute of Standards and Technology (NIST) framework, which organizes cybersecurity risks into five
categories: identify, protect, detect, respond and recover. The Company regularly assesses the threat landscape for
cybersecurity risks, with a strategy based on prevention, detection and mitigation. The Company’s information
technology (IT) security team--led by the VP of Information Security, Infrastructure and Architecture and Chief Information
Officer--reviews cybersecurity risks on an ongoing basis. IT security team members who support the Company’s
information security program have relevant educational and industry experience. The VP of Information Security,
Infrastructure and Architecture, and their team, provide regular reports to senior management, the Audit Committee,
and other relevant teams on various cybersecurity threats, assessments and findings. The IT Security team has
established policies, standards, processes and practices for assessing, identifying, and managing material risks from
cybersecurity threats (including Generative AI associated risks), which are also identified and assessed through the
Company’s overall risk management program, including quarterly assessments of IT systems, cybersecurity and related
risks. The Company engages in an ongoing review of all cybersecurity events and threats to assess the materiality of
each event, if any.
The Company maintains controls and procedures that are designed to ensure prompt escalation of certain cybersecurity
incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and
the Audit Committee in a timely manner.
The Company assesses cybersecurity risks on an ongoing basis, including assessing and deploying technical safeguards
designed to protect its information systems from cybersecurity threats. The Company has established comprehensive
incident response and recovery plans, regularly tests and evaluates the effectiveness of those plans, and maintains
cybersecurity risk insurance.
The Company implements processes to identify, prioritize, assess, mitigate and remediate risks associated with third-
party service providers. It conducts security assessments of critical third-party providers before engagement and
maintains ongoing monitoring to ensure compliance with the Company’s cybersecurity standards. The monitoring
includes ongoing assessments by the IT security team. This approach is designed to mitigate risks related to data
breaches or other security incidents originating from third parties. The Company also contractually requires third parties
it engages to implement security programs commensurate with their risk.
The Company regularly reminds its team members and contractors of the importance of handling and protecting
customer and employee data. The Company provides all its team members with dedicated cybersecurity awareness
training annually and conducts monthly phishing simulation testing and other cybersecurity awareness campaigns (e.g.,
intranet articles, cybersecurity awareness month).
The Company engages with a range of external experts, including cybersecurity assessors, consultants, auditors, and
legal counsel, in evaluating and testing its cybersecurity risk management systems. This enables the Company to
leverage specialized knowledge, experience and insights, to help ensure its cybersecurity strategies and processes
remain current.
•The Company has cybersecurity operations and security engineering capabilities that provide comprehensive
monitoring to detect and respond to cyber threats and alerts and execute cyber incident response playbooks. This
includes a vulnerability management program which identifies and drives remediation of risks. The Company
employs a wide array of industry-leading security platforms and tools.
•The Company has retained data security and data privacy legal counsel whose practices focus on data breach
response, information security compliance, and compliance with the data privacy laws in the various jurisdictions in
which the Company operates.
•In addition, the Company engages specialized consultants and third-party managed service providers on a project-
specific basis to assist it with projects that will improve the Company’s IT infrastructure, strengthen its security
posture and cyber incident investigations, and improve its cyber readiness.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Sleep Number uses a “defense in depth” approach for its cybersecurity risk management program leveraging the
National Institute of Standards and Technology (NIST) framework, which organizes cybersecurity risks into five
categories: identify, protect, detect, respond and recover. The Company regularly assesses the threat landscape for
cybersecurity risks, with a strategy based on prevention, detection and mitigation. The Company’s information
technology (IT) security team--led by the VP of Information Security, Infrastructure and Architecture and Chief Information
Officer--reviews cybersecurity risks on an ongoing basis. IT security team members who support the Company’s
information security program have relevant educational and industry experience. The VP of Information Security,
Infrastructure and Architecture, and their team, provide regular reports to senior management, the Audit Committee,
and other relevant teams on various cybersecurity threats, assessments and findings. The IT Security team has
established policies, standards, processes and practices for assessing, identifying, and managing material risks from
cybersecurity threats (including Generative AI associated risks), which are also identified and assessed through the
Company’s overall risk management program, including quarterly assessments of IT systems, cybersecurity and related
risks. The Company engages in an ongoing review of all cybersecurity events and threats to assess the materiality of
each event, if any.
The Company maintains controls and procedures that are designed to ensure prompt escalation of certain cybersecurity
incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management andthe Audit Committee in a timely manner.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|The Company has not experienced any material security incidents or data breaches as a result of a compromise of its
information systems and is not aware of any cybersecurity incidents that have had a material impact, or are reasonably
likely to materially effect, its business strategy, operating results, cash flows and financial condition.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|At the Board level, the Audit Committee is formally tasked with assisting the full Board in overseeing information security
systems, including cybersecurity, and reporting to the Board with respect to significant and material developments or
proposed changes to the Company’s cybersecurity framework. The Audit Committee receives regular reports from the
CIO and the Vice President of Information Security, Infrastructure and Architecture about the prevention, detection,
mitigation, and remediation of cybersecurity incidents, including material security risks and information security threats
and risks. The Audit Committee also receives regular updates from management on cybersecurity risk resulting from risk
assessments, progress of risk reduction initiatives, and relevant internal and industry cybersecurity incidents and
emerging threats.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company assesses cybersecurity risks on an ongoing basis, including assessing and deploying technical safeguards
designed to protect its information systems from cybersecurity threats. The Company has established comprehensive
incident response and recovery plans, regularly tests and evaluates the effectiveness of those plans, and maintains
cybersecurity risk insurance.
The Company implements processes to identify, prioritize, assess, mitigate and remediate risks associated with third-
party service providers. It conducts security assessments of critical third-party providers before engagement and
maintains ongoing monitoring to ensure compliance with the Company’s cybersecurity standards. The monitoring
includes ongoing assessments by the IT security team. This approach is designed to mitigate risks related to data
breaches or other security incidents originating from third parties. The Company also contractually requires third parties
it engages to implement security programs commensurate with their risk.
The Company regularly reminds its team members and contractors of the importance of handling and protecting
customer and employee data. The Company provides all its team members with dedicated cybersecurity awareness
training annually and conducts monthly phishing simulation testing and other cybersecurity awareness campaigns (e.g.,
intranet articles, cybersecurity awareness month).
The Company engages with a range of external experts, including cybersecurity assessors, consultants, auditors, and
legal counsel, in evaluating and testing its cybersecurity risk management systems. This enables the Company to
leverage specialized knowledge, experience and insights, to help ensure its cybersecurity strategies and processes
remain current.
•The Company has cybersecurity operations and security engineering capabilities that provide comprehensive
monitoring to detect and respond to cyber threats and alerts and execute cyber incident response playbooks. This
includes a vulnerability management program which identifies and drives remediation of risks. The Company
employs a wide array of industry-leading security platforms and tools.
•The Company has retained data security and data privacy legal counsel whose practices focus on data breach
response, information security compliance, and compliance with the data privacy laws in the various jurisdictions in
which the Company operates.
•In addition, the Company engages specialized consultants and third-party managed service providers on a project-
specific basis to assist it with projects that will improve the Company’s IT infrastructure, strengthen its security
posture and cyber incident investigations, and improve its cyber readiness.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Chief Information Officer (CIO) has primary operational responsibility for the Company’s cybersecurity function. The
CIO has served in various roles in information technology and information security for over 28 years with nine years’
experience specifically in cybersecurity. The CIO, together with the Vice President of Information Security, Infrastructure
and Architecture – who has 20 years of cybersecurity experience and has maintained a Certified Information Systems
Security Professional (CISSP) certification since 2008 – and the Chief Legal and Risk Officer have primary responsibility for
assessing and managing material cybersecurity risks. This group, and their supporting teams, meets quarterly to review
security performance metrics, identify security risks, and assess the status of approved security enhancements. This
group also considers and makes recommendations on security policies and procedures, security service requirements,
and risk mitigation strategies.
|Cybersecurity Risk Role of Management [Text Block]
|The Chief Information Officer (CIO) has primary operational responsibility for the Company’s cybersecurity function. The
CIO has served in various roles in information technology and information security for over 28 years with nine years’
experience specifically in cybersecurity. The CIO, together with the Vice President of Information Security, Infrastructure
and Architecture – who has 20 years of cybersecurity experience and has maintained a Certified Information Systems
Security Professional (CISSP) certification since 2008 – and the Chief Legal and Risk Officer have primary responsibility for
assessing and managing material cybersecurity risks. This group, and their supporting teams, meets quarterly to review
security performance metrics, identify security risks, and assess the status of approved security enhancements. This
group also considers and makes recommendations on security policies and procedures, security service requirements,
and risk mitigation strategies.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Chief Information Officer (CIO) has primary operational responsibility for the Company’s cybersecurity function. The
CIO has served in various roles in information technology and information security for over 28 years with nine years’
experience specifically in cybersecurity. The CIO, together with the Vice President of Information Security, Infrastructure
and Architecture – who has 20 years of cybersecurity experience and has maintained a Certified Information Systems
Security Professional (CISSP) certification since 2008 – and the Chief Legal and Risk Officer have primary responsibility for
assessing and managing material cybersecurity risks. This group, and their supporting teams, meets quarterly to review
security performance metrics, identify security risks, and assess the status of approved security enhancements. This
group also considers and makes recommendations on security policies and procedures, security service requirements,
and risk mitigation strategies.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|At the Board level, the Audit Committee is formally tasked with assisting the full Board in overseeing information security
systems, including cybersecurity, and reporting to the Board with respect to significant and material developments or
proposed changes to the Company’s cybersecurity framework. The Audit Committee receives regular reports from the
CIO and the Vice President of Information Security, Infrastructure and Architecture about the prevention, detection,
mitigation, and remediation of cybersecurity incidents, including material security risks and information security threats
and risks. The Audit Committee also receives regular updates from management on cybersecurity risk resulting from risk
assessments, progress of risk reduction initiatives, and relevant internal and industry cybersecurity incidents and
emerging threats.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef