lululemon athletica inc. - (LULU)

10-K Filing Date: March 21, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
Our business operations and relationships with customers and suppliers are heavily reliant on technology. We operate a cybersecurity program designed to assess our security risks and threats, to manage those risks and protect our technology systems and data, and to detect and respond to cybersecurity incidents.
We manage strategic risks, including cybersecurity risk, through our Enterprise Risk Management program which has direct involvement from the board of directors, the audit committee, and senior management. Through this process, we have identified cybersecurity as a risk management priority.
Governance
Our board of directors provides oversight of cybersecurity risks and has delegated primary responsibility to the audit committee, which is responsible for overseeing our enterprise risk assessments and management policies, procedures, and practices (including regarding those risks related to information security, cybersecurity, and data protection).
The audit committee maintains a cybersecurity sub-committee that is comprised of our Chief Information Officer ("CIO"), our Chief Information Security Officer ("CISO"), and representatives from the audit committee and board of directors that have knowledge and experience in cybersecurity matters. The cybersecurity sub-committee reviews our cybersecurity
22

Table of Contents
risk assessments and the steps being taken to monitor, control, and report on those risks as well as discusses regulatory and market developments. They also review our process for identifying and responding to cybersecurity incidents in a timely manner, and details of cybersecurity attacks or incidents which have occurred.
Management generally meets with, and provides reports to, the cybersecurity sub-committee on a quarterly basis. Our CIO and CISO also meet with and provide reports to the audit committee at least quarterly. The board of directors receives periodic reports regarding the activities of the cybersecurity sub-committee. These reports and meetings are designed to inform the board of directors and committees about the current state of our information security program including cybersecurity risks, the nature, timing, and extent of cybersecurity incidents, if any, and the resolution of such matters.
Cybersecurity Program and Incident Response
Our CISO is responsible for our cybersecurity program, including risk assessments, information security activities, and controls. The CISO is responsible for establishing and maintaining corporate information security policies and overseeing our risk management activities, which prioritize vulnerability management, risk reduction, and prevention. Our CISO also leads our Cyber Defense and Incident Response (“CDIR”) team which identifies, assesses, escalates, and remediates cybersecurity incidents. Our current CISO has over 25 years of experience in information security across different industries in the US, Europe, and South and Central America. Our current CISO is a member of the Information Systems Audit and Control Association and brings extensive experience and knowledge of cybersecurity risk management.
The CDIR team identifies, tracks, reviews, assesses, and takes actions over key cybersecurity risks including but not limited to: (i) third parties/vendors, (ii) cloud security, (iii) malicious code, (iv) our digital e-commerce channels and systems, and (v) our store technology. The CDIR team also undertakes enterprise architecture reviews, considers cyber defense and incident response findings, performs vulnerability scans, and assesses threats and performs landscape intelligence analysis.
As part of our cybersecurity program, we conduct cybersecurity awareness training including phishing simulations and supplemental campaigns as well as mandatory e-learning for all our employees. Our employees have multiple mechanisms for reporting cybersecurity and data privacy concerns. We work with third-party cybersecurity advisors to undertake assessments of our critical systems and to remediate any high-risk vulnerabilities identified. We also engage third parties to perform penetration testing on our key systems to identify potential weaknesses.
As part of our cyber incident response plan, we utilize an established framework to assess the severity of cybersecurity incidents. Under the plan, incidents are escalated to relevant senior management, and the board of directors, as appropriate, based on their severity. Our disclosure committee assesses the materiality of severe incidents including both quantitative and qualitative factors.
Third Parties
We utilize third-party service providers as a normal part of our business operations. To address cybersecurity risks arising from our relationships with third-party service providers, we employ a vendor risk program. We monitor risks relating to potential compromises of sensitive information at our third-party service providers and re-evaluate the risks associated with our partners periodically. Prior to exchanging our data with third-party service providers, they are required to go through a vendor risk assessment. We also conduct third-party security reviews and evaluate their network, processes, and systems. In addition, we obtain annual attestation reports related to data security and privacy from certain third-party service providers to further support compliance with industry-standard cybersecurity protocols.
Impact of Cybersecurity Risks on Strategy and Results
Based on the information available as of the date of this Annual Report, we have not been materially affected by any previous cybersecurity incidents. However, we continue to experience cyber-attacks, including phishing, and other attempts to break or gain unauthorized access to our systems that could materially affect us in the future. For further information, see “Risks related to information security and technology” included in Item 1A. Risk Factors of this Annual Report.
23

Table of Contents