CATO CORP - (CATO)
10-K Filing Date: March 27, 2024
Item 1C.
Cybersecurity:
Risk Management Strategy
customers and employees, and we manage cybersecurity risk as part of our overall risk management
system and compliance processes. We maintain a process designed to identify, assess and manage
material risks from cybersecurity threats, including risks relating to theft of customer data, primarily
payment cards, disruption to business operations or financial reporting systems, fraud, extortion, harm to
employee data and violation of privacy laws. In recent years, we have increased our investments in
cybersecurity risk management within our environment and have developed an enterprise cybersecurity
program designed to detect, identify, classify and mitigate cybersecurity and other data security threats.
This program classifies potential threats by risk levels, and we typically prioritize our threat mitigation
efforts based on those risk classifications. In the event we identify a potential cybersecurity, privacy or
other data security issue, we have defined procedures for responding to such issues, including procedures
that address when and how to engage with Company executives, our Board of Directors, other
stakeholders and law enforcement when responding to such issues. Additionally, various aspects of our
cybersecurity program, particularly compliance with the Payment Card Industry standards, are regularly
reviewed by independent third parties. We also maintain cybersecurity insurance, which we believe to be
commensurate with our size and the nature of our operations, as part of our comprehensive insurance
portfolio.
testing to monitor our environment. We also use third-party software to test our employees' responses to
suspicious emails and to inform targeted cyber awareness training. Our information security and privacy
policies are informed by regulatory requirements and are reviewed periodically for compliance and
alignment with current state and federal laws and regulations. We comply with applicable industry
security standards, including the Payment Card Industry Data Security Standard (“PCI DSS”). Because
we are aware of the risks associated with third-party service providers, we also have implemented
processes to oversee and manage these risks. We conduct security assessments of third-party providers
before engagement and maintain ongoing monitoring to help ensure compliance with our cybersecurity
standards.
23
provides a framework for handling and escalating cybersecurity incidents based on the severity of the
incident and facilitates cross-functional coordination across the Company.
2024 from current or past cybersecurity threats or cybersecurity incidents that have materially affected or
are reasonably likely to materially affect our business strategy, results of operations, or financial
condition. However, we face ongoing risks from certain cybersecurity threats that, if realized, are
reasonably likely to materially affect our business strategy, results of operations, or financial condition.
See the risk factors discussed under the heading, “Risk Factors — Risks Relating to Our Information
Technology, Related Systems and Cybersecurity” for further information.
Governance
cybersecurity and other data security threats play in our efforts to protect and maintain the confidentiality
and security of customer, employee and vendor information, as well as non-public information about our
Company. Although the Board as a whole is ultimately responsible for the oversight of our risk
management function, the Board has delegated to its Audit Committee primary responsibility for
oversight of risk assessment and risk management, including risks related to cybersecurity and other
technology issues. The Audit Committee also oversees the Company’s internal control over financial
reporting, including with respect to financial reporting-related information systems. The Chief Financial
Officer (CFO) and Chief Accounting Officer (CAO) meet regularly with the Audit Committee and Board
of Directors.
external assessment results, training results, and discussion of cybersecurity risks and resolutions, and is
responsible for elevating significant matters to the Board as events arise. The Audit Committee receives
reports from our Chief Information Officer (CIO) annually regarding our cybersecurity framework, as
well as our plans to mitigate cybersecurity risks and respond to any data breaches.
committee, which is chaired by our CFO and includes our CAO, CIO, Chief Information Security Officer
(CISO), as well as key members of financial management, information technology and audit. Our
cybersecurity infrastructure is overseen by our CISO, who reports to our CIO. Our CIO reports to our
CFO and has served in various roles in information technology and information security for over 30
years.