MOVADO GROUP INC - (MOV)

10-K Filing Date: March 26, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

The Company recognizes the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers, and violation of data privacy laws.

Identifying and assessing cybersecurity risk is integrated into the Company’s overall risk management processes. Cybersecurity risks are identified and addressed through internal information technology security, governance, risk and compliance reviews, as well as periodic third-party assessments. To defend, detect and respond to cybersecurity incidents, the Company maintains technical and organizational safeguards, including employee training, incident response capability reviews and exercises, cybersecurity insurance and disaster recovery plans. The Company also performs penetration testing to test security controls and monitors emerging laws and regulations related to data protection and information security. In addition, the Company performs third-party risk management (including gathering information via questionnaires and/or service organization controls (SOC) reports) to identify and mitigate risks from third parties such as vendors, suppliers and major customers that process the Company’s employee, business or customer data.

The Company’s cybersecurity incident response and breach management processes are intended to detect and analyze security incidents; to contain, eradicate and recover from such incidents; and to conduct a post-incident analysis to determine whether any changes to processes or security measures are merited. Such incident responses are overseen by a Breach Response Team consisting of leaders from the Company’s Information Technology, Legal, Finance, Risk Management and Human Resources departments, with the assistance of external technical, legal and law enforcement support, as and when appropriate. Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality and operational, business and privacy impact, as well as the potential need for timely public disclosure.

From time to time the Breach Response Team conducts tabletop exercises to simulate responses to cybersecurity incidents, including the analysis of risks and the development of detection, mitigation and remediation strategies. The Breach Response Team also uses these exercises as an opportunity to discuss other topics related to cybersecurity, including notable developments in this area.

In the last three fiscal years, the Company has not experienced any material cybersecurity incidents or incurred any material expenses related to cybersecurity incidents. For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition, see Item 1A. Risk Factors – “The Company depends on its information systems to run its business and any significant breach of or disruption to those systems could materially disrupt the Company’s business” and “If the Company were to experience a significant privacy breach, it could be subject to costly government enforcement actions and private litigation and suffer significant negative publicity which could materially and adversely affect the Company’s results of operations,” which are incorporated by reference into this Item 1C.

Governance

The Audit Committee of the Board of Directors has assumed responsibility for the oversight of management’s strategies and processes for addressing risks from cybersecurity threats. The Audit Committee or the full Board receives quarterly updates regarding cybersecurity and data privacy matters from senior management, including leaders from the Information Technology and Legal teams. This generally includes briefings regarding existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any), a cybersecurity maturity scorecard, status of key information security initiatives, and significant developments in data privacy regulations.

The Company’s cybersecurity risk management and strategy processes are overseen by leaders from the Information Technology team (specifically, the Company’s chief technology officer, its chief information officer, and its senior manager for cybersecurity) who collectively have over 75 years of prior work experience in various information technology roles, including security, auditing, compliance, systems and programming, and whose credentials have included Certified in the Governance of Enterprise IT (CGEIT),

22


 

Certified in Risk and Information Systems Control (CRISC) and Certified Information Systems Security Professional certifications. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of, cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. Potentially significant cybersecurity incidents are reported to the Breach Response Team. If the Breach Response Team deems the incident material, it will promptly notify the Audit Committee or the full Board of Directors. The Audit Committee or Board receives updates regarding other incidents during management’s regular quarterly cybersecurity updates. In addition, the Company's Internal Audit function, whose leader possesses a Certified Information System Auditor (CISA) certification, reviews certain cybersecurity controls in connection with its information technology audit procedures.

 

23