Academy Sports & Outdoors, Inc. - (ASO)

10-K Filing Date: March 21, 2024
Item 1C. Cybersecurity

The security of our information systems and data is critical to our business as a retailer, and we devote significant resources to protecting our information systems and data. We continue to invest in people, technology, and processes to protect data and systems against evolving cybersecurity threats. We have implemented a cybersecurity program that we believe is reasonably designed to manage risks from cybersecurity threats, including those that may result in adverse effects on the confidentiality, integrity, and availability of our information systems, and impact the security of information we create, maintain, and process on our information systems. Our program is designed to enable us to prevent, monitor, identify, detect, investigate, respond to, mitigate, and report on cybersecurity threats and incidents.

Cybersecurity Governance

The Company has adopted a cross-functional and multi-management level approach to assessing and managing risks arising from cybersecurity threats. The audit committee of our Board of Directors (the “Audit Committee”) oversees the Company’s enterprise risk management program. As part of this oversight, the Audit Committee has primary responsibility for overseeing risks related to cybersecurity, although the full Board of Directors retains ultimate oversight over these risks. Cybersecurity is a standing agenda item of the Audit Committee’s regular quarterly meetings, where the Audit Committee reviews and discusses cybersecurity risks along with the Company’s cybersecurity programs and strategy with management. The Audit Committee receives reports and presentations from our Chief Information Officer (CIO) and our General Counsel at its quarterly meetings on a range of topics, including our cybersecurity program and processes, our information systems, risk identification and mitigation strategies, the evolving cybersecurity threat landscape, regulatory developments, board education, and notable incidents or threats affecting the Company. From time to time between quarterly meetings, our CIO and General Counsel or other members of management may hold additional cybersecurity-related discussions with the Audit Committee. The Audit Committee regularly reports on its cybersecurity program oversight to the Board of Directors.

Our CIO is the primary executive responsible for leading the Company’s cybersecurity risk management program and has over 20 years of experience in various technology-related roles, including responsibilities related to managing information security, developing cybersecurity strategy, and implementing cybersecurity programs. Our cybersecurity team is responsible for the operations of our cybersecurity program, including implementing, monitoring, and maintaining cybersecurity and data protection solutions and practices across the enterprise. The team is led by our Director of IT Security and Compliance (our “Security Director”), who reports to our CIO. Our Security Director has over 20 years of IT experience and over 12 years of cybersecurity experience, and holds a Master of Science in Cybersecurity and Information Assurance. Our cybersecurity team works with our crisis management team and cybersecurity advisors we may engage to respond to and manage the resolution of cybersecurity incidents. Our CIO, Security Director, and cybersecurity team also work closely with our legal team on various aspects of our cybersecurity program. We also periodically engage assessors, consultants, Payment Card Industry-Data Security Standards (PCI-DSS) auditors, or other third parties to assist with our cybersecurity program. When appropriate, we engage forensic investigators and legal counsel to investigate cybersecurity threats and incidents.

Our Cyber Security Committee is a management committee chartered to oversee our cybersecurity program. The Cyber Security Committee meets at least quarterly and more frequently as appropriate to review and discuss the Company’s cybersecurity program. Our CIO and Security Director provide reports at each Cyber Security Committee meeting on cybersecurity program matters and initiatives. The Cyber Security Committee reviews any significant cybersecurity threats or incidents reported by the Security Director. The Cyber Security Committee elevates cybersecurity threats and incidents to the Audit Committee, CEO and CFO, Disclosure Committee, and crisis management team, as appropriate. Our Disclosure Committee, a cross-functional group consisting of accounting, legal, finance, investor relations, internal audit, and IT management personnel, is responsible for disclosures concerning material cybersecurity incidents and the Company’s cybersecurity practices.



41



Risk Management and Strategy

Our cybersecurity program is based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and applies, as appropriate, to the Company’s internal and external information systems, applications, networks, and operations. We conduct scanning, testing, and assessments designed to identify risks from cybersecurity threats, assess controls, and calibrate planning in response to rapidly evolving cybersecurity risks, and use the results from this testing to adjust our cybersecurity program roadmap to mitigate cybersecurity risks as they evolve. Our internal audit team performs audits on various aspects of cybersecurity and reports the results of these audits in its quarterly reports to management, the Cyber Security Committee, and the Audit Committee. Our internal auditors assess the sufficiency of security controls for relevant systems. Leaders from our risk management and internal audit teams administer our enterprise risk management program, which is designed to identify, assess and manage our top enterprise risks, including risks arising from cybersecurity threats.

We employ a risk-based approach to secure access to our networks, systems, and applications by partners and vendors. We have implemented risk assessment processes for partners and vendors receiving access to our environment and data. Our partners and vendors with whom we share information to conduct our business are required to safeguard it by appropriate means, including elevated contractual commitments when appropriate. We provide cybersecurity training to our team members during onboarding and regularly thereafter. We maintain a software vulnerability management program supported by internal personnel and third-party service providers. We deploy technologies to automate and enhance our operational security capabilities. We also use third-party managed security services to augment our cybersecurity team’s capabilities.

We have adopted a Cyber Security Incident Response Plan (the “CSIRP”) to provide a standardized framework for responding to cybersecurity incidents. The CSIRP is a coordinated approach to investigate, contain, mitigate, and document cybersecurity incidents, including reporting and escalating findings as appropriate (including to the crisis management team).

To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition, and we do not believe that such risks are reasonably likely to have such an effect over the long term. However, due to evolving cybersecurity threats, despite our security measures, we may not able to anticipate, prevent, and stop future cybersecurity incidents, including attacks to our information systems and data and those of our partners. Additional information on cybersecurity risks we face is discussed in Item 1A of Part I, “Risk Factors”, which should be read in conjunction with the foregoing.