Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Jan. 03, 2026 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | Sleep Number uses a “defense in depth” approach for its cybersecurity risk management program leveraging the National Institute of Standards and Technology (NIST) framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. The Company regularly assesses the threat landscape for cybersecurity risks, with a strategy based on prevention, detection and mitigation. The Company’s information technology (IT) security team–led by the Chief Product and Enterprise Strategy Officer (CPESO)–reviews cybersecurity risks on an ongoing basis. IT security team members who support the Company’s information security program have relevant educational and industry experience. The CPESO, and their team, provide regular reports to senior management, the Audit Committee, and other relevant teams on various cybersecurity threats, assessments and findings. The IT security team has established policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats (including Generative AI associated risks). These threats are also identified and assessed through the Company’s overall risk management program, including quarterly assessments of IT systems, cybersecurity, and related risks. The Company engages in an ongoing review of all cybersecurity events and threats to assess the materiality of each event, if any. The Company maintains controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Audit Committee in a timely manner. The Company assesses cybersecurity risks on an ongoing basis, including assessing and deploying technical safeguards designed to protect its information systems from cybersecurity threats. The Company has established comprehensive incident response and recovery plans, regularly tests and evaluates the effectiveness of those plans, and maintains cybersecurity risk insurance. The Company implements processes to identify, prioritize, assess, mitigate and remediate risks associated with third-party service providers. It conducts security assessments of critical third-party providers before engagement and maintains ongoing monitoring to ensure compliance with the Company’s cybersecurity standards. The monitoring includes ongoing assessments by the IT security team. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties. The Company also contractually requires third parties it engages to have security programs commensurate with their risk, while retaining certain audit rights for higher risk third parties. The Company regularly reminds its team members and contractors of the importance of handling and protecting customer and employee data. The Company provides all its team members with dedicated cybersecurity awareness training annually and conducts monthly phishing simulation testing and other cybersecurity awareness campaigns (e.g., intranet articles, cybersecurity awareness month). Further, the Company sponsors a year-long "Cybersecurity Champions Academy" where team members from all across the Company are engaged in a cybersecurity-focused community which more deeply embeds cybersecurity awareness through monthly meetings, topical projects, and cyber-skill sharing. The Company engages with a range of external experts, including cybersecurity assessors, auditors, and legal counsel, in evaluating and testing its cybersecurity risk management systems. This enables the Company to leverage specialized knowledge, experience and insights, to help ensure its cybersecurity strategies and processes remain current. •The Company has cybersecurity operations and security engineering capabilities that provide comprehensive monitoring to detect and respond to cyber threats and alerts and execute cyber incident response playbooks. This includes a vulnerability management program which identifies and drives remediation of risks. The Company employs a wide array of industry-leading security platforms and tools. •The Company has retained data security and data privacy legal counsel whose practices focus on data breach response, information security compliance, and compliance with the data privacy laws in the various jurisdictions in which the Company operates. •In addition, the Company engages specialized consultants and third-party managed service providers on a project- specific basis to assist it with projects that will improve the Company’s IT infrastructure, strengthen its security posture and cyber incident investigations, and improve its cyber readiness.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | Sleep Number uses a “defense in depth” approach for its cybersecurity risk management program leveraging the National Institute of Standards and Technology (NIST) framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. The Company regularly assesses the threat landscape for cybersecurity risks, with a strategy based on prevention, detection and mitigation. The Company’s information technology (IT) security team–led by the Chief Product and Enterprise Strategy Officer (CPESO)–reviews cybersecurity risks on an ongoing basis. IT security team members who support the Company’s information security program have relevant educational and industry experience. The CPESO, and their team, provide regular reports to senior management, the Audit Committee, and other relevant teams on various cybersecurity threats, assessments and findings. The IT security team has established policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats (including Generative AI associated risks). These threats are also identified and assessed through the Company’s overall risk management program, including quarterly assessments of IT systems, cybersecurity, and related risks. The Company engages in an ongoing review of all cybersecurity events and threats to assess the materiality of each event, if any. The Company maintains controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Audit Committee in a timely manner.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] | The Company has not experienced any material security incidents or data breaches as a result of a compromise of its information systems and is not aware of any cybersecurity incidents that have had a material impact, or are reasonably likely to materially effect, its business strategy, operating results, cash flows and financial condition.
|
| Cybersecurity Risk Board of Directors Oversight [Text Block] | At the Board level, the Audit Committee is formally tasked with assisting the full Board in overseeing information security systems, including cybersecurity, and reporting to the Board with respect to significant and material developments or proposed changes to the Company’s cybersecurity framework. The Audit Committee receives regular reports from the CPESO about the prevention, detection, mitigation, and remediation of cybersecurity incidents, including material security risks and information security threats and risks. The Audit Committee also receives regular updates from management on cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, and relevant internal and industry cybersecurity incidents and emerging threats.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Company assesses cybersecurity risks on an ongoing basis, including assessing and deploying technical safeguards designed to protect its information systems from cybersecurity threats. The Company has established comprehensive incident response and recovery plans, regularly tests and evaluates the effectiveness of those plans, and maintains cybersecurity risk insurance. The Company implements processes to identify, prioritize, assess, mitigate and remediate risks associated with third-party service providers. It conducts security assessments of critical third-party providers before engagement and maintains ongoing monitoring to ensure compliance with the Company’s cybersecurity standards. The monitoring includes ongoing assessments by the IT security team. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties. The Company also contractually requires third parties it engages to have security programs commensurate with their risk, while retaining certain audit rights for higher risk third parties. The Company regularly reminds its team members and contractors of the importance of handling and protecting customer and employee data. The Company provides all its team members with dedicated cybersecurity awareness training annually and conducts monthly phishing simulation testing and other cybersecurity awareness campaigns (e.g., intranet articles, cybersecurity awareness month). Further, the Company sponsors a year-long "Cybersecurity Champions Academy" where team members from all across the Company are engaged in a cybersecurity-focused community which more deeply embeds cybersecurity awareness through monthly meetings, topical projects, and cyber-skill sharing. The Company engages with a range of external experts, including cybersecurity assessors, auditors, and legal counsel, in evaluating and testing its cybersecurity risk management systems. This enables the Company to leverage specialized knowledge, experience and insights, to help ensure its cybersecurity strategies and processes remain current. •The Company has cybersecurity operations and security engineering capabilities that provide comprehensive monitoring to detect and respond to cyber threats and alerts and execute cyber incident response playbooks. This includes a vulnerability management program which identifies and drives remediation of risks. The Company employs a wide array of industry-leading security platforms and tools. •The Company has retained data security and data privacy legal counsel whose practices focus on data breach response, information security compliance, and compliance with the data privacy laws in the various jurisdictions in which the Company operates. •In addition, the Company engages specialized consultants and third-party managed service providers on a project- specific basis to assist it with projects that will improve the Company’s IT infrastructure, strengthen its security posture and cyber incident investigations, and improve its cyber readiness.
|
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | The CPESO has primary operational responsibility for the Company’s cybersecurity function. The CPESO has served in various leadership positions for over 20 years, with 3 years specifically leading information technology. The CPESO, and the Chief Legal and Risk Officer have primary responsibility for assessing and managing material cybersecurity risks. This group, and their supporting teams, meets quarterly to review security performance metrics, identify security risks, and assess the status of approved security enhancements. This group also considers and makes recommendations on security policies and procedures, security service requirements, and risk mitigation strategies.
|
| Cybersecurity Risk Role of Management [Text Block] | The CPESO has primary operational responsibility for the Company’s cybersecurity function. The CPESO has served in various leadership positions for over 20 years, with 3 years specifically leading information technology. The CPESO, and the Chief Legal and Risk Officer have primary responsibility for assessing and managing material cybersecurity risks. This group, and their supporting teams, meets quarterly to review security performance metrics, identify security risks, and assess the status of approved security enhancements. This group also considers and makes recommendations on security policies and procedures, security service requirements, and risk mitigation strategies.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | The CPESO has primary operational responsibility for the Company’s cybersecurity function. The CPESO has served in various leadership positions for over 20 years, with 3 years specifically leading information technology. The CPESO, and the Chief Legal and Risk Officer have primary responsibility for assessing and managing material cybersecurity risks. This group, and their supporting teams, meets quarterly to review security performance metrics, identify security risks, and assess the status of approved security enhancements. This group also considers and makes recommendations on security policies and procedures, security service requirements, and risk mitigation strategies.
|
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | At the Board level, the Audit Committee is formally tasked with assisting the full Board in overseeing information security systems, including cybersecurity, and reporting to the Board with respect to significant and material developments or proposed changes to the Company’s cybersecurity framework. The Audit Committee receives regular reports from the CPESO about the prevention, detection, mitigation, and remediation of cybersecurity incidents, including material security risks and information security threats and risks. The Audit Committee also receives regular updates from management on cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, and relevant internal and industry cybersecurity incidents and emerging threats.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |