Ollie's Bargain Outlet Holdings, Inc. - (OLLI)

10-K Filing Date: March 27, 2024
Item 1C.
Cybersecurity
 
The Board recognizes the importance of maintaining the trust and confidence of our customers, associates, vendors, and other business partners through the effective management of Company enterprise risks. The Board, through its Audit Committee, oversees the Company’s risk management program, and cybersecurity represents an important component of the Company’s overall approach to enterprise risk management (“ERM”). Cybersecurity policies, standards, processes, and practices comprise an integral part of the Company’s ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology, the Payment Card Industry Data Security Standard and other applicable industry standards. In general, the Company addresses cybersecurity risks through a comprehensive, cross-functional approach focused on preserving the confidentiality, security, and availability of the information that the Company collects and stores by, first, identifying, preventing, and mitigating cybersecurity threats and, when needed, effectively responding to cybersecurity incidents.

32

Risk Management and Strategy
 
The Company’s cybersecurity program focuses on the following key areas:
 

As discussed in more detail under the heading “Governance,” the Board oversees the Company’s ERM functions through its Audit Committee (the “Audit Committee”). The Audit Committee, in turn, oversees the Company’s Risk Management Committee (the “Risk Committee”), which includes the Company’s Chief Information Officer (“CIO”), who fulfills the role of Chief Information Security Officer (“CISO”), other members of management, and select personnel from key departments. The Risk Committee regularly meets to discuss, evaluate, and address the ever-changing landscape of enterprise risks. The Risk Committee then reports to, and solicits direction and input from, the Audit Committee.
 

The Company has implemented a comprehensive, cross functional approach to identifying, mitigating, and preventing cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents, so that management can make decisions regarding the public disclosure and reporting of such incidents in a timely manner. The Board, Company management, other key associates, and outside vendors and service providers work together and diligently at all levels of the ERM function.
 

The Company deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, and access controls, which the Company evaluates and improves through vulnerability assessments and cybersecurity threat intelligence.
 

The Company has established and maintains comprehensive incident response and recovery plans that fully address the Company’s response to a cybersecurity incident. Such plans are tested and evaluated on a regular basis.
 

The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties (including vendors, service providers, and other external users of the Company’s systems) as well as the systems of third parties that could adversely impact the Company’s business in the event of a cybersecurity incident affecting those third-party systems.
 

The Company conducts regular training for its associates regarding cybersecurity threats, as means to equip the Company’s associates with effective tools to address cybersecurity threats and to communicate the Company’s evolving information security policies, standards, processes, and practices.
 
The Company regularly assesses and tests the Company’s policies, standards, processes, and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures. The Company regularly engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits, and independent reviews of our information security control environment and operating effectiveness. The CIO’s team reports the results of such assessments, audits, and reviews to the Risk Committee and the Audit Committee on a quarterly basis, and the Company adjusts its cybersecurity policies, standards, processes, and practices as necessary based on the valuable information gleaned during these assessments, audits, and reviews.
 
Governance and Board Oversight
 
The Board, through its Audit Committee, pursuant to the Audit Committee’s charter, and in coordination with the Company’s Risk Committee, oversees the Company’s ERM process, including the management of risks arising from cybersecurity threats. The Risk Committee solicits regular presentations and reports on cybersecurity risks from various departments within the Company, expressly seeking a wide range of input and viewpoints on the ERM process. The Risk Committee considers topics such as recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security considerations arising with respect to the Company’s peers and third parties.
 
On a quarterly basis, the Risk Committee meets to discuss ERM, including cybersecurity processes, keeping adequate records of its consideration of the applicable ERM topics. The Risk Committee reports quarterly to the Board’s Audit Committee, responding to the comments, questions, directives, and input from the members thereof, and engaging in a fulsome discussion of the Company’s approach to, among other things, cybersecurity risk management.
 
33

Company Management
 
The CIO, in coordination with the Company’s IT Security and Compliance (“ITSEC”) team works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans.
 
The CIO has served various roles in information technology for over 32 years, including 16 years with responsibility in overseeing cybersecurity efforts in large publicly traded companies. The ITSEC team includes a dedicated manager and security analysts. The ITSEC team also has access to two dedicated consultants who each have over 20 years’ experience managing cybersecurity risk and infrastructure security in large publicly-traded companies.
 
The Company’s Incident Response Team, which includes the Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, CIO, and General Counsel, receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.
 
To facilitate the success of the Company’s cybersecurity components of the ERM program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CIO and the ITSEC team monitor the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to the Risk Committee and Audit Committee when appropriate.
 
Cybersecurity Risks
 
Despite the security measures we have implemented, certain cybersecurity incidents could disrupt our operational systems if our IT resources are compromised by an intentional attack which results in the loss of trade secrets or other proprietary or competitively sensitive information; compromises personally identifiable information regarding customers or employees; delays our ability to deliver products to customers; jeopardizes the security of our facilities; or causes other damage.
 
During the fiscal year ended February 3, 2024, we did not experience any material impact to our business, financial position, or operations resulting from previously identified cyberattacks or other information security incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material breaches. While our lack of an online shopping option or an omnichannel customer experience may pose risks to our business, the same aspect of our operations insulates us from the same level of cybersecurity risks relative to those peers.
 
We continuously seek to maintain a robust program of information security and controls, but the impact of a material cybersecurity incident could have an adverse effect on our competitive position, reputation, results of operations, financial condition, and cash flows.
 
Additionally, while we have a cybersecurity program designed to protect and preserve the confidentiality, integrity, and availability of our information systems, we also maintain cybersecurity insurance to manage potential liabilities resulting from specific cyber-attacks. Although we maintain cybersecurity insurance, there can be no guarantee that our insurer(s) will cover specific claims, pay the full costs of an incident, or provide payment in a timely manner.
 
For more information, please see “Item 1A – Risk Factors – Technology and Cybersecurity.”
 
34

© 2024 Material-Incidents. All rights reserved.