Victoria's Secret & Co. - (VSCO)
10-K Filing Date: March 22, 2024
ITEM 1C. CYBERSECURITY.
As a publicly traded company, we recognize the critical importance of effective cybersecurity risk management to safeguard our operations, protect sensitive information and ensure the trust of our customers and stakeholders.
Risk Management & Strategy
We maintain a robust cybersecurity risk management program designed to assess, identify and manage material risks from cybersecurity threats, which encompasses the following key components.
27
Risk Assessment
We regularly conduct comprehensive cybersecurity risk assessments to identify vulnerabilities, threats and potential impacts on our business operations and stakeholders. We actively monitor and gather threat intelligence to stay informed about emerging cyber threats and vulnerabilities relevant to our industry and operations. We engage independent third-party assessors for periodic cybersecurity program assessments against industry accepted frameworks and to perform technical penetration assessments. We assess ourselves against the Center for Internet Security Top 18 controls framework, the National Institute of Standards and Technology Cybersecurity Framework, the Payment Card Industry Data Security Standard and management defined technology controls to support our internal controls over financial reporting.
Incident Detection and Response
We have established procedures for monitoring network activities, detecting anomalies and responding to cybersecurity incidents promptly. We engage a specialized managed services firm to provide continuous monitoring and an initial level of incident response. We work with a leading cyber forensics firm to provide incident response services as needed. Our incident response and escalation procedures are documented to classify incidents according to defined thresholds. Our core incident response and extended incident response teams are cross-functional and include leaders across technology, legal, finance, asset protection, customer care, human resources, stores operations and communications. Protocols to notify our executive leadership team and Board of Directors are in place based on the severity of the incident.
Third-party Risk
In addition to our own systems, we use third-party service providers to store, transmit and process information on our behalf. Third-party risk management is embedded in our cybersecurity risk management function. We leverage an independent cybersecurity assessment exchange service to gather information and provide real-time threat monitoring of our most critical third parties. We review relevant cybersecurity assessment reports and certifications from our third parties. Our standard contract terms also require third parties to maintain a standard level of security and controls.
Governance
Our cybersecurity risk management processes are integrated into our overall enterprise risk management system. Our Board of Directors (the “Board”) understands the critical nature of managing risks associated with cybersecurity threats. The Board has established robust oversight mechanisms to provide effective oversight of risks associated with cybersecurity.
Board of Directors Oversight
The Audit Committee has been delegated the primary responsibility for the Board's oversight of cybersecurity risks. Executive summaries of our internal risk assessments, program initiatives, regulatory compliance and incident summaries are shared with our Audit Committee on a semi-annual basis, with additional updates as needed. Our third-party assessment and audit results, which are performed on an annual basis, and associated remediation plans are also shared with our Audit Committee. Additionally, our Internal Audit function independently conducts periodic reviews of our cybersecurity controls and reports the results of those reviews to the Audit Committee. The Audit Committee reports to the Board on cybersecurity risk oversight at least annually.
Management's Role in Managing Cybersecurity Risk
Our Chief Information Security Officer (“CISO”) has primary responsibility for assessing, monitoring, and managing our cybersecurity risks. Our CISO has over 25 years of security experience in executive leadership, operations, incident response, and consulting in various industries including retail, technology and healthcare, as well as support of Federal government agencies and intelligence. Our CISO reports to our Chief Information Officer (“CIO”), who is also responsible for overseeing cybersecurity risks and communicating with the Board and Audit Committee.
We have a structured process to identify and oversee material cybersecurity risks. We maintain a robust set of cybersecurity policies that set the standards and expectations for our associates, contractors and vendors to follow. We report cybersecurity metrics quarterly to our technology leadership, including our CIO and CISO, and our Enterprise Risk Management team. We have an Executive Risk Council, comprised of executive leadership across the business, which is briefed quarterly on the latest cybersecurity threats impacting our business, and the progress of recent and ongoing cybersecurity program efforts, incidents and risk assessments. The Executive Risk Council provides input as needed to strengthen our cybersecurity controls and risk management.
We do not believe that any risks we have identified from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. For additional information regarding cybersecurity risks we are subject to, refer to “Item 1A. Risk Factors” in this Annual Report on Form 10-K.
28