GENESCO INC - (GCO)
10-K Filing Date: March 27, 2024
Cybersecurity is one of our most critical risks. For many activities important to our business, we depend on the confidentiality, integrity and availability of information systems and data, some of which are provided or managed by third parties. We have strategically integrated cybersecurity risk management into our broader enterprise risk management function to promote a company-wide culture of cybersecurity risk management.
Management is responsible for the day-to-day handling of risks facing the Company, while the Board of Directors, as a whole and through its committees, oversees risk management, including cybersecurity risks. The Board has delegated certain risk management responsibilities with respect to cybersecurity to the Audit Committee.
On behalf of the Board, the Audit Committee provides oversight of our management of cybersecurity risk. The Audit Committee regularly reviews our cybersecurity risks, incidents, audits, assessments, crisis readiness, awareness activities and compliance with cybersecurity and privacy laws and regulations. Our Vice President, Information Security and Privacy jointly with our Senior Vice President, Chief Strategy and Digital Officer brief the Audit Committee quarterly, and more often, if necessary, on active and emerging cybersecurity threats and efforts to strengthen our defenses against these threats.
Our Information Security and Privacy teams reduce first and third-party risk by maintaining a proactive security posture aligned with current threats, detecting cybersecurity events and responding quickly, and building procedures to rapidly recover. These teams are managed by the Vice President, Information Security and Privacy, who reports to the Senior Vice President, Chief Strategy and Digital Officer. Our cybersecurity leaders collectively have more than 25 years of relevant experience and multiple professional certifications.
Internal and third-party risks are reviewed, monitored, and managed by our Cybersecurity and Privacy teams, audited by an Internal Audit team and various external experts, and tracked within an Enterprise Risk Management framework. We regularly engage third-party experts to assess the effectiveness of our cybersecurity programs. Biennially, an external independent consultancy team conducts an assessment of our cybersecurity program using the inputs from accepted Cybersecurity Frameworks. Targeted assessments are conducted regularly by internal and third-party experts to ensure compliance with specific federal and state laws and regulations. We continue to participate in the VISA TIP program and AMEX STEP program around our PCI DSS compliance.
26
Our processes for identifying and managing first and third-party risks from cybersecurity threats include:
Continuous monitoring of our systems and network for cybersecurity events;
Regular testing of our Security Incident Response Plan, Business Continuity plans, and Disaster Recovery plans;
Required annual security training for our employees with access to email, as well as tailored training for employees in more sensitive roles. Periodic testing to ensure the security training is effective.
External managed security services providers and industry-leading security tools continuously monitor our systems and network for cybersecurity threats. Our cybersecurity teams evaluate the escalated threats, and if necessary, take steps to contain and recover from pervasive threats in accordance with our Security Incident Response Plan. The plan includes reporting and escalation procedures to inform the Executive Committee, Audit Committee, and full Board, as appropriate to enable them to carry out their oversight responsibilities, and to ensure timely compliance with applicable reporting rules. Our Business Continuity Management and Disaster Recovery plans include procedures for business recovery and are tested regularly.
No risks from cybersecurity threats or previous cybersecurity incidents have materially affected our business strategy, results of operations, or financial condition. However, there can be no assurance that our controls and procedures in place to monitor and mitigate the risks of cyber threats will be sufficient and/or timely and that we will not suffer material losses or consequences in the future. Additionally, while we have in place insurance coverage designed to address certain aspects of cyber risks, such insurance coverage may be insufficient to cover all insured losses or all types of claims that may arise.