Bath & Body Works, Inc. - (BBWI)
10-K Filing Date: March 22, 2024
ITEM 1C. CYBERSECURITY
The Company has developed an information security program to address material risks from cybersecurity threats, which is integrated within our overall enterprise risk management program. The program includes policies and procedures that identify how security measures and controls are developed, implemented and maintained. Under the information security program, the Company performs one or more cyber risk assessments each year based on recognized industry best practices and standards and cyber threat intelligence. The risk assessments, together with risk-based analysis and judgment, are used to determine security controls to address identified risks. The Company considers the following factors, among others, during its risk and control implementation assessments: the likelihood and severity of the risk; the impact on the Company, the Company’s customers, associates and stockholders, and others if a risk materializes; the feasibility and cost of controls; and the impact of controls on operations and others.
20
The Company’s information security program currently includes the following controls, which are deployed as the Company deems applicable:
•endpoint threat detection and response;
•identity and access management;
•privileged access management;
•logging and monitoring involving the use of security information and event management;
•multi-factor authentication;
•firewalls and intrusion detection and prevention;
•web application firewalls and bot security tools; and
•vulnerability and patch management.
All of the Company’s office-based associates and certain distribution and fulfillment center associates undergo mandatory security awareness training at the time of hiring and on an annual basis thereafter. The Company’s store-based associates receive ad hoc awareness communications and are provided with cybersecurity awareness materials as part of the store operating manual.
The Company uses third-party security firms in different capacities to provide or operate some of these controls and technology systems, including cloud-based platforms and services. Third parties are used to conduct assessments, such as vulnerability scans and penetration testing. The Company uses a variety of processes to address cybersecurity threats related to the use of third-party technology and services, including pre-acquisition diligence, imposition of contractual obligations and performance monitoring.
As part of the Company’s overall enterprise risk management program, the Company has developed business continuity and disaster recovery plans, which include measures to respond to potential disruptions to our information technology systems (or information technology systems of third parties on which we rely). The Company also maintains a written information security incident response plan and conducts tabletop exercises to enhance incident response preparedness. The Company is also a member of an industry cybersecurity intelligence and risk sharing organization.
The Company (or third parties on which it relies) may not be able to fully, continuously and effectively implement security controls as designed or intended. As described above, the Company utilizes a risk-based approach and judgment to determine the security controls to implement, and it is possible that the Company may not implement appropriate controls if management does not recognize, or underestimates, a particular risk. In addition, security controls, no matter how well designed or implemented, may only partially mitigate, but not fully eliminate, risks. Security events, when detected by security tools or third parties, may not always be immediately understood or acted upon by the Company (or by third parties it relies upon).
The Company, like many retailers, relies upon third-party service providers, such as payment processors and network providers, that have faced risks from threat actors and cybercriminal groups that seek to steal payment card data, consumer data, and other sensitive information; disrupt critical information technology systems; and/or demand ransom payments. Although the Company has implemented controls to address these risks, if these risks were to materialize, such as in the event of a cybersecurity incident causing the networks of a third-party payment processor to not be operational, the impact to the Company could be material.
We have not identified risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, which have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, we continue to face risks from cybersecurity threats that, if realized, may have such material effect. Despite our ongoing efforts, we cannot provide complete assurance that our cybersecurity risk management processes will be effective in detecting, preventing, or mitigating such cybersecurity risks. See also “We have undertaken a multi-year initiative to upgrade our digital and information technology systems and capabilities. We significantly rely on our, and our third-party service providers’, ability to successfully implement, upgrade and sustain information technology systems and to protect associated data and system availability” and “Any significant compromise or breach of our data security, including the security of customer, associate, third-party or Company information, could have a material adverse effect on our reputation, results of operations, financial condition and cash flows” in Item 1A. Risk Factors of this Annual Report on Form 10-K for a discussion of cybersecurity risks that could have a material impact on the Company, which sections should be read in conjunction with this Item 1C.
The Company’s Chief Information Security Officer (“CISO”) is the member of the Company’s management team with primary responsibility for the development, operation and maintenance of the Company’s information security program. The CISO holds a master of science degree in information assurance and has approximately 24 years of cybersecurity experience with Fortune 500 financial, defense, consulting and retail companies. The Company’s Audit Committee oversees the Company’s information security program at the Board level. The Audit Committee, which is composed entirely of independent members of the Board, receives reports directly from the CISO at least twice per year regarding the Company’s cybersecurity program, including reports regarding items such as cybersecurity policies and practices, cybersecurity program resources, third-party
21
assessments of the Company’s information security program, key risks related to the Company’s information security program and the Company’s mitigating controls.
As described above, the Company maintains an information security incident response plan that includes processes and procedures for evaluating and escalating cybersecurity incidents to, as determined to be appropriate, the Company’s executive management team and members of the Board. The initial impact level of each cybersecurity event is evaluated by a designated team of information security specialists using risk criteria that have been defined and approved by the Company’s executive management team and reviewed with the Company’s Audit Committee. If escalated, the incident is evaluated by a cross-functional core and extended team, as applicable, of Company managers that includes the Company’s CISO and the Company’s designated internal legal counsel, as well as identified associates from across the Company’s business and functions, as applicable. Cybersecurity incidents are assigned incident impact levels based on the core team’s determination of potential impact to the Company. The core team employs defined risk criteria to classify incidents and escalate incidents accordingly. Based on the severity classification assigned by the core team, incidents may be escalated to representatives of the Company’s executive management team (which includes the Company’s Disclosure Committee), the Chairs of the Board and the Audit Committee, other members of the Audit Committee and/or the full Board. The incident response plan, which also incorporates processes to engage identified third-party cybersecurity consultants, advisors and response services, provides for continuous re-evaluation of identified cybersecurity incidents by the appropriate levels of management to ensure that the Company is able to satisfy its disclosure obligations under relevant rules and regulations.
The Company has an Enterprise Risk Management function that oversees the identification prioritization and mitigation of the Company’s enterprise risks, and cybersecurity is a risk category addressed by that function. The Company also has a Cybersecurity and Privacy Risk Council, which is composed of representatives of the Company’s senior management and operates to deliver management-level oversight of cybersecurity matters. The Company uses governance, risk and compliance tools to assess, identify and manage its cybersecurity risks.