BUILD-A-BEAR WORKSHOP INC - (BBW)

10-K Filing Date: April 18, 2024
ITEM 1C.

CYBERSECURITY

 

We aim to foster and preserve the confidence of customers, employees, shareholders, and other stakeholders regarding our technology and data practices. Our commitments to digital trust, aligned with our core values of service, excellence, integrity, and individual respect, form the basis of our cybersecurity approach.

 

Cybersecurity Risk, Management and Strategy

 

We acknowledge the critical nature of evaluating, pinpointing, and addressing the significant risks posed by cybersecurity threats. Our organization has established a comprehensive set of processes, technologies, and mechanisms to support the identification, evaluation, and management of these risks. Central to our cybersecurity strategy is the mitigation of threats, ensuring the robustness and reliability of our system infrastructures. We utilize the guidelines provided by the National Institute of Standards and Technology (NIST) Cybersecurity Framework to shape our cybersecurity initiatives and comply with the Payment Card Industry Data Security Standards where necessary.

 

Our cybersecurity risk management is intricately integrated into our broader enterprise risk management strategy. Our aim is to effectively identify, prioritize, and manage risks under robust governance, ensuring a secure and resilient organizational environment.

 

The daily operational responsibility for our cybersecurity initiatives falls to our dedicated cybersecurity team, headed by the Chief Technology Officer (CTO). This team collaborates with external partners to forge and execute our data security and cybersecurity plans, including risk assessments, monitoring activities, and training for our employees. We are committed to continually investing in the enhancement of our capabilities to identify, protect against, and detect security threats.

 

We employ a suite of tools and services that support the continuous surveillance and reduction of cyber risks. Our internal teams undertake regular audits and penetration testing throughout the year. External third-party experts are enlisted annually to assess our cybersecurity maturity and conduct risk evaluations, besides offering specialized knowledge on various cybersecurity matters. Our security operations center operates 24/7 to identify, lessen, and react to cyber threats promptly. Defined protocols are in place to manage and mitigate any detected cybersecurity incidents swiftly, with regular reviews of our policies and procedures to ensure compliance with evolving regulatory standards and the dynamic threat landscape.

 

21

 

The Incident Response Team (IRT) at our company is a specialized, multidisciplinary group empowered to act swiftly and effectively in managing and communicating cybersecurity incidents. The IRT operates under a comprehensive incident response plan, detailing the procedures for preparing, detecting, responding to, and recovering from cyber incidents. This includes triage, severity assessment, escalation, containment, investigation, and remediation processes, in addition to meeting legal requirements and minimizing damage to the brand and reputation. Regular tabletop exercises are conducted to simulate cyber incidents, enhancing our response strategies, plans, and technology.

 

Our company ensures that all new hires and existing employees undergo data security and privacy training annually, with additional specialized training for certain roles. Periodic campaigns and simulated phishing tests are also conducted to maintain awareness and vigilance against potential risks.

 

Vendor security is maintained using programs that evaluate the risk associated with service providers and business partners, focusing on the nature of data accessed or retained. This risk-based approach guides our due diligence and security assessments for selected vendors, ensuring that our contracts reflect the necessary security commitments.

 

Through the date of filing this Annual Report, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affect our Company, including our business strategy, results of operations, or financial condition. We have not encountered any significant incidents in the past fiscal year. However, we are aware of the ongoing threats that could, if materialized, have a significant impact on our business operations, strategies, or financial condition. Despite our rigorous cybersecurity efforts, we recognize that no system is infallible, and thus we cannot guarantee complete efficacy in preempting or mitigating all potential cyber threats. We continuously evaluate and disclose how identified cybersecurity risks, including those from past incidents, could materially influence our operational, strategic, or financial landscapes.

 

Cybersecurity Governance

 

Our commitment to establishing a secure digital realm is underpinned by the structured governance and management of our data security and privacy policies and strategies. Our Board of Directors, which has primary responsibility for overseeing risk management, has delegated risk management oversight responsibility for information systems, information security, data privacy and cybersecurity to the Audit Committee, a member of which has extensive technology experience, including in the area of cybersecurity. The Audit Committee engages in regular, at least quarterly, discussions on these topics, informed by reports from our IT Security Team led by the CTO. Specific topics may include updates to the Company’s approach to cybersecurity risk management; recent developments; key initiatives; the threat landscape; trends; and the results of certain assessments and testing. Periodically, the Audit Committee also receives presentations on cybersecurity matters from third-party cybersecurity experts. The Board of Directors receives reports from the Audit Committee chair on these and other risk-related matters as deemed necessary.

 

Our cybersecurity initiatives are led by our CTO and our Director of Security, who holds a Bachelor of Science, Management Information Systems and a Master of Science, Computer and Information Systems Security and Information Assurance. In addition, our CTO and our Director of Security have Computer Hacking Forensics Investigator and Certified Ethical Hacker certifications. Both, under the CTO’s leadership, have extensive experience in managing information security, crafting cybersecurity strategies, and spearheading initiatives to counter evolving cyber threats.

 

22

 

The Security and Technology Risk Leadership Committee, led by our CTO, oversees our cybersecurity initiatives, and comprises technology leaders and members of various departments across the company. Similarly, our Privacy, Data Governance, and Artificial Intelligence Committee, under the guidance of our Chief Privacy Officer, oversees our privacy and data governance strategies.

 

© 2024 Material-Incidents. All rights reserved.