Designer Brands Inc. - (DBI)
10-K Filing Date: March 25, 2024
ITEM 1C. CYBERSECURITY
RISK MANAGEMENT AND STRATEGY
We have developed an information security program that is designed to address material risks from cybersecurity threats. Our information security program is integrated into our overall enterprise risk management process, which the Board ultimately oversees. The Board has delegated its responsibility for cybersecurity risk oversight to the Technology Committee of the Board, which is responsible for (i) regularly reviewing with management significant cybersecurity, privacy, and IT risks or exposures, and our policies and processes with respect to risk assessment and risk management of the same; (ii) regularly reviewing with management an assessment of the steps management has taken to monitor and control such risks; and (iii) regularly reporting to the full Board on such matters.
As described in further detail below, our information security program is led by our Director of IT Security & Compliance ("DITSC"), who is responsible for our overall information security strategy, policy, security engineering, operations, and cyber threat detection and response. The program includes policies and procedures that guide our implementation and maintenance of security measures and controls. Risk-based analysis and judgment of the DITSC and our management team, along with feedback from internal and third-party audits and assessments, are used to select security controls to address risks. The following factors, among others, are considered when identifying security controls: likelihood and severity of a risk, impact on the Company and others if a risk materializes, feasibility of controls, and impact of controls on operations and others. Third parties also play a role in our cybersecurity, as we engage security firms in different capacities to provide or operate some of these controls and technology systems, including cloud-based platforms and services. For example, third parties are used to conduct assessments, such as vulnerability scans and penetration testing. We use a variety of processes to address and oversee cybersecurity threats related to the use of third-party technology and services, including a vendor risk management program.
We have a written incident response plan and conduct tabletop exercises to enhance incident response preparedness. We have other response protocols to address operating impacts due to disruptions in services and technology, including scenario run books and mitigation plans for key vendors. Employees undergo security awareness training when hired and annually.
18
GOVERNANCE
The DITSC is the Company's management position with primary responsibility for the development, operation, and maintenance of our information security program. The DITSC has over 20 years of experience in cybersecurity, including over 15 years of experience in the Cyber Defense and Electronic Warfare section of the U.S. Army. The DITSC has obtained multiple subject matter certifications, including the Global Information Assurance Certification. The DITSC briefs the Technology Committee of the Board regularly and oversees regular cybersecurity training and education opportunities for the Board, which covers topics ranging from the current threat landscape to our cybersecurity program metrics, risks, and roadmap. Management receives regular updates on cybersecurity risks from the DITSC. In the event of a security incident, the DITSC will follow the escalation process in our incident response plan to notify the Company's Crisis Committee, which is composed of a cross-functional group of Company leaders. The Crisis Committee will work with the DITSC to respond to and remediate any actual cybersecurity incidents. Depending on the severity of the security incident, the DITSC and the Crisis Committee are to escalate the security incident to the Chief Legal Officer and the Principal Accounting Officer, who will assess materiality in consultation with outside counsel. The Chief Legal Officer will notify the Technology Committee and the Board of any potential material incident.
Although the risks from cyber threats have not materially affected our business strategy, results of operations, or financial condition to date, we continue to closely monitor cyber risk. We may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. Risk factors for a discussion of cybersecurity risks.