CATO CORP - (CATO)

10-K Filing Date: March 27, 2024
Item 1C.
 
Cybersecurity:
Risk Management Strategy
 
We
 
recognize
 
the
 
importance
 
of
 
effectively
 
managing
 
cybersecurity
 
risk
 
in
 
protecting
 
our
 
business,
customers
 
and
 
employees,
 
and
 
we
 
manage
 
cybersecurity
 
risk
 
as
 
part
 
of
 
our
 
overall
 
risk
 
management
system
 
and
 
compliance
 
processes.
 
We
 
maintain
 
a
 
process
 
designed
 
to
 
identify,
 
assess
 
and
 
manage
material
 
risks
 
from
 
cybersecurity
 
threats,
 
including
 
risks
 
relating
 
to
 
theft
 
of
 
customer
 
data,
 
primarily
payment cards, disruption
 
to business operations
 
or financial reporting
 
systems, fraud, extortion,
 
harm to
employee
 
data
 
and
 
violation
 
of
 
privacy
 
laws.
 
In
 
recent
 
years,
 
we
 
have
 
increased
 
our
 
investments
 
in
cybersecurity
 
risk
 
management within
 
our
 
environment and
 
have
 
developed an
 
enterprise
 
cybersecurity
program designed
 
to
 
detect, identify,
 
classify and
 
mitigate cybersecurity
 
and other
 
data security
 
threats.
This
 
program classifies
 
potential threats
 
by
 
risk
 
levels,
 
and
 
we
 
typically prioritize
 
our
 
threat
 
mitigation
efforts
 
based
 
on those
 
risk classifications.
 
In the
 
event
 
we
 
identify a
 
potential cybersecurity,
 
privacy or
other data security issue,
 
we have defined procedures for
 
responding to such issues,
 
including procedures
that
 
address
 
when
 
and
 
how
 
to
 
engage
 
with
 
Company
 
executives,
 
our
 
Board
 
of
 
Directors,
 
other
stakeholders and
 
law enforcement
 
when responding
 
to
 
such
 
issues. Additionally,
 
various aspects
 
of
 
our
cybersecurity program,
 
particularly compliance
 
with the
 
Payment Card
 
Industry standards,
 
are regularly
reviewed by independent third
 
parties. We
 
also maintain cybersecurity insurance, which
 
we believe to
 
be
commensurate
 
with
 
our
 
size
 
and
 
the
 
nature
 
of
 
our
 
operations,
 
as
 
part
 
of
 
our
 
comprehensive
 
insurance
portfolio.
 
We
 
utilize
 
third-party
 
intrusion
 
detection
 
and
 
prevention
 
systems
 
and
 
vulnerability
 
and
 
penetration
testing to
 
monitor our
 
environment. We
 
also use
 
third-party software
 
to test
 
our employees' responses
 
to
suspicious emails and to
 
inform targeted cyber
 
awareness training.
 
Our information security and
 
privacy
policies
 
are
 
informed
 
by
 
regulatory
 
requirements
 
and
 
are
 
reviewed
 
periodically
 
for
 
compliance
 
and
alignment
 
with
 
current
 
state
 
and
 
federal
 
laws
 
and
 
regulations.
 
We
 
comply
 
with
 
applicable
 
industry
security
 
standards,
 
including the
 
Payment Card
 
Industry
 
Data
 
Security
 
Standard (“PCI
 
DSS”).
 
Because
we
 
are
 
aware
 
of
 
the
 
risks
 
associated
 
with
 
third-party
 
service
 
providers,
 
we
 
also
 
have
 
implemented
processes
 
to
 
oversee
 
and manage
 
these
 
risks.
 
We
 
conduct
 
security
 
assessments
 
of
 
third-party
 
providers
before
 
engagement
 
and
 
maintain ongoing
 
monitoring to
 
help
 
ensure
 
compliance with
 
our
 
cybersecurity
standards.
 
23
 
Additionally,
 
we
 
maintain
 
a
 
cybersecurity
 
incident
 
response
 
plan,
 
which
 
is
 
reviewed
 
regularly,
 
and
provides
 
a
 
framework
 
for
 
handling
 
and
 
escalating
 
cybersecurity
 
incidents
 
based
 
on
 
the
 
severity
 
of
 
the
incident and facilitates cross-functional coordination across the Company.
 
Through the
 
processes described
 
above,
 
we
 
did
 
not
 
identify
 
risks
 
during the
 
year
 
ended
 
February 3,
2024 from current or
 
past cybersecurity threats or cybersecurity
 
incidents that have materially affected
 
or
are
 
reasonably
 
likely
 
to
 
materially
 
affect
 
our
 
business
 
strategy,
 
results
 
of
 
operations,
 
or
 
financial
condition.
 
However,
 
we
 
face
 
ongoing
 
risks
 
from
 
certain
 
cybersecurity
 
threats
 
that,
 
if
 
realized,
 
are
reasonably likely
 
to
 
materially affect
 
our
 
business strategy,
 
results
 
of
 
operations, or
 
financial condition.
See
 
the
 
risk
 
factors
 
discussed
 
under
 
the
 
heading,
 
“Risk
 
Factors
 
 
Risks
 
Relating
 
to
 
Our
 
Information
Technology,
 
Related Systems and Cybersecurity” for further information.
Governance
 
Our
 
Board
 
of
 
Directors
 
recognizes
 
the
 
important
 
roles
 
that
 
information
 
security
 
and
 
mitigating
cybersecurity and other data security threats
 
play in our efforts
 
to protect and maintain the
 
confidentiality
and security of
 
customer, employee and
 
vendor information, as
 
well as non-public
 
information about our
Company.
 
Although
 
the
 
Board
 
as
 
a
 
whole
 
is
 
ultimately
 
responsible
 
for
 
the
 
oversight
 
of
 
our
 
risk
management
 
function,
 
the
 
Board
 
has
 
delegated
 
to
 
its
 
Audit
 
Committee
 
primary
 
responsibility
 
for
oversight
 
of
 
risk
 
assessment
 
and
 
risk
 
management,
 
including
 
risks
 
related
 
to
 
cybersecurity
 
and
 
other
technology
 
issues.
 
The
 
Audit
 
Committee
 
also
 
oversees
 
the
 
Company’s
 
internal
 
control
 
over
 
financial
reporting, including
 
with respect
 
to financial
 
reporting-related information
 
systems. The
 
Chief Financial
Officer (CFO) and Chief
 
Accounting Officer (CAO) meet regularly
 
with the Audit Committee and
 
Board
of Directors.
 
The
 
Audit
 
Committee
 
reviews
 
quarterly
 
our
 
cybersecurity
 
activities,
 
including
 
review
 
of
 
annual
external assessment
 
results, training
 
results, and
 
discussion of
 
cybersecurity risks
 
and resolutions,
 
and is
responsible for elevating
 
significant matters to
 
the Board as
 
events arise.
 
The Audit
 
Committee receives
reports
 
from
 
our
 
Chief
 
Information
 
Officer
 
(CIO)
 
annually
 
regarding
 
our
 
cybersecurity
 
framework,
 
as
well as our plans to mitigate cybersecurity risks and respond to any data breaches.
 
 
From
 
a
 
management
 
perspective,
 
our
 
enterprise
 
cybersecurity
 
is
 
overseen
 
by
 
our
 
cybersecurity
committee, which is chaired by our
 
CFO and includes our CAO, CIO, Chief
 
Information Security Officer
(CISO),
 
as
 
well
 
as
 
key
 
members
 
of
 
financial
 
management,
 
information
 
technology
 
and
 
audit.
 
Our
cybersecurity infrastructure
 
is
 
overseen by
 
our
 
CISO, who
 
reports
 
to
 
our
 
CIO.
 
Our
 
CIO reports
 
to
 
our
CFO
 
and
 
has
 
served
 
in
 
various
 
roles
 
in
 
information
 
technology
 
and
 
information
 
security
 
for
 
over
 
30
years.