RH - (RH)
10-K Filing Date: March 28, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
Managing cybersecurity risks is an important component of our approach to enterprise risk management. As part of our overall risk management system, we have established certain procedures to assess, identify, mitigate and respond to risks from cybersecurity threats. We have regular programs to evaluate cybersecurity threats and to assess our systems, procedures and processes in order to identify areas of potential vulnerability and to improve our protection against evolving cybersecurity threats. We use a number of different methodologies in our regular assessment of cybersecurity risks with respect to our information systems, including vulnerability testing, security enhancement and evaluation of external threats, including in connection with potential data breach, ransomware and other forms of unauthorized access.
32 | FORM 10-K | PART I |
As part of our overall cybersecurity protection program, we have created a cross-functional cybersecurity team consisting of senior members of information technology, legal, accounting, internal audit and compliance teams (the “Incident Response Team”) that contributes to various aspects of our approach to managing cybersecurity risks. Our senior information technology leaders who are members of the Incident Response Team have experience and domain expertise in cybersecurity, including defining and implementing security policies and tools, understanding and evaluating relevant threats to our technology infrastructure as well as developing incident response protocols and security operations workflows. We also incorporate third-party expertise in various aspects of our cybersecurity program, including in the assessment and testing of weaknesses as well as the adoption of software and other solutions to mitigate risks and identify and respond to threats. Our Incident Response Team is involved in all aspects of our program to address cybersecurity matters, including with respect to the design and management of internal controls and procedures governing these matters.
Governance
Our information technology team oversees the day-to-day management of our cybersecurity program with regular reporting to representatives of our Incident Response Team. Our information technology team has overall responsibility for our cybersecurity risk management program and procedures and reports regularly to the Audit Committee of our Board of Directors on cybersecurity matters. From a governance perspective, (i) we have an executive response team consisting of various senior executives, including our Chief Financial Officer, as well as members of our Incident Response Team (the “Executive Response Team”) that oversees the recommendations, actions and responses of the Incident Response Team in connection with specific cybersecurity incidents, and (ii) the Audit Committee as well as our Chief Executive Officer are provided with updates from the Executive Response Team and the Incident Response Team regarding incidents as well as the policies, standards, processes and practices that we implement to address risks from cybersecurity threats. The Audit Committee receives regular presentations and reports on cybersecurity matters that address a wide range of topics, including recent developments, evolving standards, vulnerability assessments and third-party reviews.
Incident Response
We have a written information security incident response plan (the “Incident Response Plan”) that we use to assist in our response to cybersecurity incidents. The Incident Response Plan provides a framework and process for our Incident Response Team. While our Incident Response Team identifies our initial response to potential or actual cybersecurity incidents, the Executive Response Team oversees the actions and recommendations of the Incident Response Team in connection with specific cybersecurity events. In addition, we have various processes to escalate matters based upon the threat level severity. The Incident Response Team and Executive Response Team (i) make ongoing assessments of the severity of incidents, (ii) escalate these matters based upon the severity of the threat level, (iii) depending on the level of severity of an incident, also involve our Chief Executive Officer or Audit Committee and Board of Directors in assessing specific cybersecurity incidents, (iv) determine the appropriate level of response to specific incidents taking into account the nature of the incident, and (v) take overall responsibility for leading and coordinating response efforts, involving additional response team participants and retaining third-party assistance, including legal counsel and other third-party cybersecurity experts, and assessing materiality of an incident.
Threat Mitigation
While we engage in numerous efforts to protect ourselves from cybersecurity risks, we do periodically experience cybersecurity incidents. To date we have not experienced any cybersecurity threat or incident that has materially affected our business, results of operations or financial condition. We have also not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect, us, including our business strategy, results of operations or financial condition. Although we have adopted various processes and preventative measures with the objective of preventing breaches and minimizing the risks from cybersecurity matters, given the nature of cybersecurity threats that are constantly evolving over time, there is no guarantee that we, including our business strategy, results of operations or financial condition, will not be adversely affected by such threats or that our preventative measures and processes will be effective. Additionally, although we have insurance coverage for cybersecurity events, there can be no assurance that we will be able to maintain our insurance coverage or it will be enough to cover the cost associated with one or more cybersecurity events.
For further discussion of our risks related to cybersecurity, refer to Item 1A—Risk Factors—Material damage to, or interruptions in, information systems as a result of external factors, staffing shortages, cybersecurity breaches or cyber fraud, or difficulties in updating our existing software or developing or implementing new software could have a material adverse effect on our business or results of operations, and we may be exposed to risks and costs associated with protecting the integrity and security of our customers’ information.
PART I | FORM 10-K | 33 |