WILLIAMS SONOMA INC - (WSM)

10-K Filing Date: March 20, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to associates or customers; violation of privacy or security laws; other litigation and legal risk; and reputational risks. These cybersecurity risks and other company risks are monitored and integrated into our enterprise risk management process. As part of this process, appropriate personnel will consult with subject matter specialists as necessary to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations.
Our cybersecurity risk management approach includes: (i) an enterprise risk management process, which includes cybersecurity risks and is periodically refreshed; (ii) system vulnerability scanning; (iii) cybersecurity training for employees; (iv) penetration testing, which simulates cyber threats; and (v) third-party risk management for suppliers, vendors, and other partners, which includes risk-based diligence and contractual provisions that allow for periodic auditing. We work to continually improve each of these processes with the goal of ensuring our cybersecurity strategy remains consistent with industry best practices.
Our incident response plan coordinates the activities we take to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident. Further, we conduct periodic tabletop exercises to test our cyber incident response plan.
As part of our cybersecurity risk management strategy, we periodically engage with assessors, consultants, auditors, and other third-parties to evaluate and test our systems. We also engage an independent Qualified Security Assessor to review our Payment Card Industry, or PCI, compliance.
To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the company, including our business strategy, results of operations, or financial condition. See

28

Table of Contents
“Risks Related to Technology” included as part of our risk factor disclosures in Item 1A of this Annual Report on Form 10-K, which are incorporated by reference herein.
In the last three fiscal years, we have not experienced any material cybersecurity incidents, and the expenses we have incurred from cybersecurity incidents were immaterial.
Governance
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board of Directors and management. Our Audit and Finance Committee is responsible for the oversight of risks from cybersecurity threats. At least quarterly, the Audit and Finance Committee receives an overview covering current and emerging cybersecurity threat risks and the Company’s ability to mitigate those risks, and discusses these topics with our Chief Information Security Officer and Chief Technology and Digital Officer. Cybersecurity risk management is also considered at least annually during separate Board meeting discussions with management.
Our cybersecurity risk management strategy process is led by our Chief Information Security Officer, and Chief Technology and Digital Officer, and leverages the expertise of our Chief Financial Officer, General Counsel, and Chief Accounting Officer. Our Chief Information Security Officer and Chief Technology and Digital Officer have extensive prior work experience in roles involving managing information security, developing cybersecurity strategy, and implementing effective information and cybersecurity programs as well as several relevant degrees and certifications, including Certified Information Security Manager, Certified Information Systems Auditor, Certified Information Systems Security Professional, Global Information Assurance Certification, and Certified Ethical Hacker.
These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.

29

Table of Contents