G III APPAREL GROUP LTD /DE/ - (GIII)
10-K Filing Date: March 25, 2024
Risk Management and Strategy
We have programs for assessing, identifying, and managing material risks from cybersecurity threats through the use of a suite of various security programs and tools including, but not limited to, Managed Security Service Provider and Extended Detection and Response monitoring and alerts, internal reporting mechanisms, monitoring tools, detection tools and continuous training. Our information security program undergoes regular evaluations, internal audits and various exercises, including tabletop, penetration, vulnerability testing and simulations. The findings from these activities, including identified security gaps, are integrated into our risk remediation process and subsequently updated across our suite of security tools and applications. Additionally, we conduct annual Payment Card Industry Data Security Standard compliance reviews and third-party penetration testing.
Our global cybersecurity team consists of multidisciplinary Information Technology (“IT”) resources from key areas and locales led by our Global Director of Cybersecurity. They are primarily responsible for delivering comprehensive reporting to executive management and auditors, addressing a wide array of cybersecurity threats, assessments, findings and future direction and strategy.
Continuous endpoint monitoring is ensured through collaboration with a third-party cybersecurity firm. Rapid response protocols are in place for high or critical severity incidents, involving isolation, segmentation and forensic examination by our cybersecurity team. In addition, we have engaged a dedicated third-party threat hunter to assist in identifying Indicators of Compromise.
Our Global Director of Cybersecurity leads a quarterly cybersecurity governance meeting, comprising of all IT teams from our subsidiaries. This meeting serves as a platform to review and discuss ongoing and upcoming security projects, compliance, and regulations.
We conduct a comprehensive annual tabletop exercise facilitated by an external cybersecurity specialist. This exercise involves simulating various attack vectors, utilizing our incident response plans and procedures to respond effectively, prevent, block, and remediate potential threats. This exercise also includes preparing for other related potential impacts to the Company, such as business interruptions, business continuity plans, backup strategies, data protection policies and compliance, incident response, third-party forensic and legal assistance, as well as consideration of regulations such as GDPR, CCPA, PCI and other cybersecurity regulations. This tabletop exercise is attended by members from all
41
subsidiaries, including IT management teams as well as finance, legal, insurance, and operations management teams. We believe our holistic approach ensures we are well-prepared and coordinated to handle a range of cybersecurity scenarios.
Our annual testing, which is conducted by an industry-leading third-party cybersecurity firm, encompasses external and internal penetration tests, Wi-Fi tests, social engineering and physical access testing for all subsidiaries. We also use a vulnerability management platform to provide comprehensive visibility and tracking of assets to aid us in systematically identifying, measuring and prioritizing cybersecurity and technology risks. We require employees with access to information systems, including all corporate employees, to undertake data protection and cybersecurity training and compliance programs annually.
Our third-party information technology vendors are assessed by independent auditors for compliance with System and Organization Controls (“SOC”) 1 and SOC 2. Access to our networks for third-party vendors is limited exclusively to the application related to the services for which they are engaged to provide. We routinely conduct external risk analyses by employing third-party rating tools to assess our vendors, quantifying and prioritizing identified risks based on the number and severity of vulnerabilities. Subsequently, we communicate these risks to our vendors proactively, seeking their collaboration in remediation efforts.
We annually purchase cybersecurity risk insurance policies that would help defray the costs associated with a covered cybersecurity incident if it occurred.
Governance
Our board of directors maintains comprehensive oversight of company-wide risk assessment by conducting in-depth analysis of key risks related to information security, technology and cybersecurity threats. The audit committee of our board of directors oversees, among other things, the adequacy and effectiveness of our internal controls, including internal controls designed to assess, identify, and manage material risks from cybersecurity threats. The audit committee receives quarterly reports on cybersecurity matters, including material risks and threats, from our Chief Information Officer (“CIO”) and our cybersecurity team. In the event of a cybersecurity incident, our Global Director of Cybersecurity or senior Information Technology management will notify our Disclosure Committee in accordance with the escalation criteria set forth by our incident response plan and related processes. Security incidents and events are classified based on severity (Critical, High, Medium), impact, and nature, as outlined in the Incident Response Plan. This classification system assists the cybersecurity team in prioritizing responses, allocating resources efficiently, and effectively managing risks.
Our Disclosure Committee is comprised of, among others, our Chief Financial Officer, Chief Growth and Operations Officer, CIO, Senior Vice President of Finance, Executive Vice President and Director of Strategic Planning, Senior Vice President of Investor Relations and Treasurer, Senior Vice President of Legal Counsel, Vice President of Legal Counsel, and the most senior members of the financial reporting, internal audit, financial planning and analysis, and tax functions.
Our CIO has over 28 years of experience leading our technology operations and a total of over 40 years of experience in information technology experience in the banking and fashion apparel industries. Our Global Director of Cybersecurity has over 20 years of experience in information technology, including a dedicated focus of more than 6 years in cybersecurity, risk management and compliance and he is a Certified Information Systems Security Professional (“CISSP”) and a Certified Ethical Hacker (“CEH”). Additionally, our Global Director of Cybersecurity currently serves in the role of a governing body member for the New York Evanta CISO community.
As of the date of this Form 10-K, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition and that are required to be reported in this Form 10-K. For further discussion of the risks associated with cybersecurity incidents, see our “Risks Related to Cybersecurity, Data Privacy and Information Technology” contained in Item 1A - Risk Factors of this Annual Report on Form 10-K.
42