SHOE CARNIVAL INC - (SCVL)
10-K Filing Date: March 22, 2024
Risk Management and Strategy
Daily, we are threatened by system intrusions, social engineering attempts and web application attacks. These threats and attempts are directed at payment data, employee credentials, system passwords and personal information. We have developed and implemented a risk-based framework to address them. We consider cybersecurity a top risk within our enterprise risk management protocol, which is subject to oversight by our Board of Directors.
Our risk-based processes, as designed, seek to maintain physical, administrative and technical controls that protect the confidentiality, integrity and availability of our information systems and information stored on our network, including customer information, personal information, intellectual property and proprietary information.
We use the National Institute of Standards and Technology Cybersecurity Framework (the "NIST CSF") as a guideline for our cybersecurity framework. This does not imply that we meet any technical standards, specifications or requirements under the NIST CSF, only that we use the NIST CSF as a framework to help us identify, assess and manage cybersecurity risks related to our business. Our policies for overall general information technology controls are also influenced by the Control Objectives for Information and Related Technologies, which align with the NIST CST.
Our key cybersecurity processes are organized into four primary categories:
Key elements of our cybersecurity processes include, but are not limited to, the following:
25
Governance
Our Board of Directors oversees and guides our business and oversees our exposure to major risks. As stated in its charter, our Board of Directors has delegated to the Audit Committee the responsibility for Board-level oversight of cybersecurity risk. As part of its oversight role, the Audit Committee receives reports about our protocols, material threats or incidents and other developments related to cybersecurity. When these discussions occur, Board members with cybersecurity acumen that are not on the Audit Committee are present and active in those discussions.
These cybersecurity reports are provided to our Audit Committee at least annually, and these reports are delivered by our Senior Vice President and Chief Information Officer (“CIO”). Our CIO has over 30 years of experience with our information systems and is versed in cybersecurity frameworks and best practices. A security committee assists the CIO with developing controls, selecting vendor partners, identifying emerging threats and implementing best practices within our risk-based framework. Our security team is comprised of professionals with cybersecurity certifications and specialized training. The CIO addresses how we allocate capital resources to our cybersecurity processes with our executive leadership team, which includes our Chief Executive Officer, Chief Operating Officer, Chief Merchandising Officer and Chief Financial Officer. The CIO reports directly to our Chief Operating Officer.
Process to Access, Identify and Manage Material Risks from Cybersecurity Threats
When a cybersecurity incident occurs or we identify a vulnerability, our CIO and our security committee, which is described in more detail under "Governance" above, are responsible for leading the initial risk assessment, and external experts may also be engaged and our Audit Committee or full Board may also be consulted. If a breach of our control structure were to occur, our executive leadership team, Audit Committee and counsel would be briefed by the CIO and a determination would be made on whether such issue is material to warrant disclosure.
As of February 3, 2024, we have not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, cash flow or financial condition.
Even with our current control processes and a continuous improvement mindset, cybersecurity threats constantly evolve. If the measures we have employed were to fail, or if a breach were to occur, it could result in impairment or loss of critical functions, such as the operation of our e-commerce websites, our Evansville distribution center, our corporate network and/or our point-of-sale systems, as examples. Additionally, confidential information could be compromised or we could be defrauded or ransomed for a material amount of funds. Any of these outcomes could negatively affect our reputation and customer loyalty. The ultimate effects of a breach or loss in function or confidential information are difficult to quantify with any certainty, but such loss may be partially limited through insurance. See "Risk Factors—We could be adversely affected if our inventory technology systems fail to operate effectively, are disrupted or are compromised", "—Various risks associated with our e-commerce platform may adversely affect our business and results of operations" and "—We outsource certain business processes to third-party vendors and have certain business relationships that subject us to risks, including disruptions to our business and increased costs" in PART I, ITEM 1A of this Annual Report on Form 10-K, which risk factors are incorporated by reference into this section of this Annual Report on Form 10-K.
26