FOOT LOCKER, INC. - (FL)
10-K Filing Date: March 28, 2024
Cybersecurity risk management and strategy
Information security is an important part of the Company’s culture and foundational to its management. This philosophy is emphasized throughout the organization by the Board of Directors, senior leadership, and team members to help promote a Company-wide culture of cybersecurity risk management.
We use information technology and third-party service providers to support our global business processes and activities, which exposes us to cybersecurity risks. We have from time-to-time experienced cybersecurity incidents. In the event of a cybersecurity incident, we respond in accordance with our policies, processes, applicable laws, and regulations. When necessary, we also engage third parties, such as cybersecurity advisors, to assist in investigating and remediating incidents. To date, the cybersecurity incidents have not had a material effect on our business strategy, results of operations, or financial condition.
Key Program Components
We take cybersecurity seriously, and our cybersecurity program is aligned to well-known and established cybersecurity frameworks. We use, and continue to improve, our cyber defense-in-depth strategy, which uses multiple layers of security for holistic protection.
Our cybersecurity governance program is strategically integrated into our enterprise risk management and is periodically presented to the audit committee, which is responsible for oversight of the enterprise risk management framework associated with technology, security, data, and privacy, and the Board of Directors. These procedures include regular risk monitoring by management to update current risks and identify potential new and emerging risks. The Technology Committee receives regular briefings from our Chief Operations Officer, Chief Technology Officer, Chief Information Security Officer, and outside experts on cybersecurity risks and cyber risk oversight. During these meetings, the Technology Committee and management discuss these risks, risk management activities and efforts, best practices, lessons learned from incidents at other companies, the effectiveness of our security measures, and other related matters. The Technology Committee Chair reports on the committee’s meetings, considerations, and actions to the Board at the next Board meeting following each Technology Committee meeting. The Audit Committee also discusses and receives updates on cybersecurity matters in connection with its oversight of enterprise risk management.
We also maintain a variety of incident response plans that are utilized when incidents are detected. We conduct periodic tabletop exercises, in which different internal and external stakeholders, including from time to time our CEO, Non-Executive Chair, or Board of Directors, participate in a simulated cyber scenario. The purpose of these exercises is to test our cyber incident response plan, identify weaknesses or gaps, and ensure that all participants are aware of, and familiar with, their roles and responsibilities.
We require employees with access to information systems to undertake data protection and cybersecurity training. In addition, certain individuals with privileged access, such as system administrators and developers, are subject to additional controls and monitoring activities. We also conduct periodic phishing campaigns to train users to better identify, report, and avoid malicious content.
We recognize that third-party service providers may introduce cybersecurity risks to our organization. In an effort to mitigate these risks, we have implemented a process before engaging with third-party service providers which are designed to assess their cybersecurity practices. Additionally, we endeavor to include cybersecurity requirements in our contracts with these providers, requiring them to adhere to certain cybersecurity standards and protocols.
Our Chief Information Security Officer, with oversight from the Chief Technology Officer and Chief Operations Officer, is primarily responsible for assessing and managing cybersecurity risks. Our Chief Information Security Officer has extensive cybersecurity knowledge and skills gained from over 25 years’ experience in the field. Our Chief Information Security Officer is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents.
Several experienced information security professionals report to our Chief Information Security Officer and he is supported by a team of trained cybersecurity team members. In addition to our extensive in-house cybersecurity capabilities, at times we also engage assessors, consultants, auditors, or other third parties to assist with assessing, identifying, and managing cybersecurity risks.
Notwithstanding the breadth of the Company’s information security program, it may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse impact. For a discussion of whether and how any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition, see Item 1A. "Risk Factors," which is incorporated by reference into this Item 1C.