HIBBETT INC - (HIBB)
10-K Filing Date: March 25, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
Our cybersecurity strategy prioritizes detection, analysis, and response to known, anticipated or unexpected cybersecurity threats; effective management of cybersecurity risks; and resiliency against incidents. Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, team member training, contractual arrangements, tools and related services from third-party providers, and management oversight to assess, identify and manage material risks from cybersecurity threats. We implement risk-based controls to protect our information, the information of our customers, vendors, and other third parties, our information systems and our business operations. Multi-factor authentication and principles of “Zero Trust” are integral to our control environment. We have adopted security-control principles based on the Payment Card Industry Data Security Standard and the CIS Critical Security Controls Cybersecurity Framework, other industry-recognized standards, and contractual requirements, as applicable. We leverage industry associations, third-party benchmarking, results from internal and third-party audits, threat intelligence feeds, and other similar resources to inform our cybersecurity processes and plans.
We maintain cybersecurity programs that include physical, administrative, and technical safeguards, and we maintain plans and procedures with the objective of helping us prevent and timely and effectively respond to cybersecurity threats or cybersecurity incidents. Through our defense strategy and cybersecurity risk management process, we continuously monitor cybersecurity vulnerabilities and potential attack vectors to Company systems. We evaluate the potential operational and financial effects of any threat and of cybersecurity countermeasures made to defend against such threats. We integrate our cybersecurity practices into our Enterprise Risk Management (“ERM”) program, which is overseen by our Audit Committee and provides central, standardized frameworks for identifying and tracking cyber-related business and compliance risks across the Company. In addition, we periodically engage third-party consultants to assist us in assessing, enhancing, implementing, and monitoring our cybersecurity risk management programs and responding to any incidents. This process includes regular penetration and vulnerability testing.
We have developed a formal Incident Response Plan focused on: 1) preparation, 2) detection and analysis, including determination of materiality, 3) containment, eradication, and recovery, and 4) post-incident analysis. We maintain and enforce Company level information system security policies that include possible disciplinary actions for violations.
As part of our cybersecurity risk management process, we conduct “tabletop” exercises during which we simulate cybersecurity incidents to ensure that we are prepared to respond to such an incident and to highlight any areas for potential improvement in our cybersecurity incident preparedness. Third-party specialists may be involved in these exercises, which are conducted at both the technical level and senior management level. Historically, certain members of our Board of Directors have participated as well. Learnings from these exercises are incorporated into our Incident Response Plan. In addition, all team members are required to pass mandatory cybersecurity training courses on a regular basis and receive phishing simulations to provide “experiential learning” on how to recognize phishing attempts. Training is administered and tracked through online learning modules and is supplemented by regular Company communications on cybersecurity topics.
We have established a cybersecurity supply chain risk management program, which is a cross-functional program that forms part of our ERM program and is supported by our security, compliance, and supply chain organizations. Through this evolving program, we assess the risks from cybersecurity threats that impact select suppliers and third-party vendors with whom we share personal identifying and confidential information. This cyber risk assessment is performed for applicable third-party vendors during the vendor onboarding process and the results are factored into our risk-based vendor selection decision. We continue to evolve our oversight processes to mature how we identify and manage cybersecurity risks associated with the products or services we procure from such suppliers. We generally require that our suppliers adopt and maintain security-control principles based on industry-recognized standards.
We do not believe that any risks we have identified to date from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us or our business strategy, results of
-23-
operations or financial condition. However, notwithstanding our processes, policies and procedures designed to monitor and mitigate the risks of cybersecurity threats, there can be no assurance that we or third parties with which we interact will not experience a cybersecurity incident that materially affects us in the future. Additionally, while we have in place insurance coverage designed to address certain aspects of cybersecurity risks, such insurance coverage may be insufficient to cover all insured losses or all types of claims that may arise. See “Risks Related to Technology” in “Risk Factors” of this Form 10-K.
Governance
Our Board of Directors has general oversight responsibility for our strategic and business risk management and has delegated cybersecurity risk management oversight to the Audit Committee, which reports on its activities and findings to the full Board after each quarterly meeting. Our Audit Committee is responsible for ensuring that management has processes in place designed to identify and evaluate cybersecurity risks to which the company is or may be exposed and to implement processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents.
Management is responsible for identifying, assessing, and managing cybersecurity risks on an ongoing basis, establishing processes to ensure that cybersecurity risk exposures are monitored, establishing appropriate mitigation measures, maintaining cybersecurity policies and procedures, and providing regular reports to our Board of Directors, including through the Audit Committee. Our Senior Vice President and Chief Information Officer (“CIO”), who has over 30 years of industry experience, leads our cybersecurity program and is supported by our Information Security Officer and team members holding relevant certifications. The CIO reports to the Audit Committee on cybersecurity risks at each of its quarterly meetings. These reports include assessments of cybersecurity risks, the current and emerging threat landscape, updates on any incidents, and reports on our investments in cybersecurity risk mitigation and governance.
The Audit Committee has identified two of its members, Ramesh Chikkala and Karen Etzkorn, both with expertise in cybersecurity risk management, as cybersecurity professionals. Furthermore, the Audit Committee has designated Ms. Etzkorn to meet regularly with management to review our cybersecurity strategy, key initiatives and progress toward our objectives. In the event of a potentially material cybersecurity event, the Chair of the Audit Committee would be notified and briefed, and meetings of the Audit Committee and/or full Board of Directors would be held, as appropriate.