GAP INC - (GPS)
10-K Filing Date: March 19, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
Safeguarding our information systems as well as the information that we receive and store about our customers, employees, vendors and others is a priority for Gap Inc. We maintain a cybersecurity program with technical and organizational safeguards that is designed to identify, assess, manage, mitigate and respond to cybersecurity threats, including threats associated with the use of third-party systems. The program leverages our overall enterprise risk management (“ERM”) processes. Cybersecurity risk management processes are also embedded within our operating procedures, internal controls and information systems.
Annually, employees receive cybersecurity training, and we provide additional targeted cybersecurity awareness and education activities throughout the year. In partnership with external consultants, we periodically conduct “tabletop” exercises with management and members of our Information Security, Information Technology and Privacy teams during which we simulate real-life cybersecurity incident scenarios to assess our preparedness, test our incident response plans and highlight potential areas for improvement. Audits of our cybersecurity risk management processes are conducted periodically in order to test the effectiveness of controls designed to prevent and respond to cyberattacks at different levels within Gap Inc. In addition, we maintain cybersecurity risk insurance.
Our Information Security and Information Technology teams manage and monitor our cybersecurity environment. These teams track cybersecurity incidents across Gap Inc., our vendors and third-party service providers to remediate and resolve incidents. Incidents are escalated as appropriate based on a risk assessment framework, including as needed to senior management. Gap Inc.’s Privacy team is involved to the extent data privacy concerns are implicated. We maintain incident response plans to coordinate activities taken to respond to and remediate cybersecurity incidents. We consult with outside counsel as appropriate, including on materiality analysis and disclosure matters, and senior management makes final materiality determination and disclosure decisions.
Our cybersecurity risk management processes are based on industry-recognized standards. We partner with leading cybersecurity companies to leverage third-party technology and expertise, and we engage with these partners to support monitoring and maintaining the performance and effectiveness of controls implemented in our environment.
To date, our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity-related risks, see “Risks Related to Data Privacy and Cybersecurity” in Item 1A, Risk Factors, of this Form 10-K.
Governance
Gap Inc.’s Chief Information Security Officer (“CISO”) oversees the cybersecurity program. The CISO reports to the Chief Digital & Technology Officer (“CDTO”) and is responsible for assessing and maintaining the Company’s cybersecurity risk management processes. The CISO informs senior management regarding the prevention, detection, mitigation and remediation of cybersecurity incidents. The CISO, CDTO, and members of the Information Security, Information Technology and Privacy teams have broad experience and expertise in selecting, deploying and operating cybersecurity technologies, initiatives and processes around the world. Information about our executive officers’ work experience, including our CDTO, is included in “Information about our Executive Officers” in Item 1, Business, of this Form 10-K.
Our Board understands the importance of maintaining a robust and effective cybersecurity program. The Audit and Finance Committee of the Board oversees the Company’s cybersecurity program as well as risk exposures and steps taken by management to monitor and mitigate cybersecurity risks. The CISO and/or CDTO provide a quarterly update on the cybersecurity program, on an alternating basis to the Audit and Finance Committee or the full Board.
21
Our Internal Audit department facilitates an annual ERM assessment that is designed to gather information regarding key enterprise risks, emerging risks, critical risk events, and key third-party dependencies that could impact our objectives and strategies. The Internal Audit department partners with our Information Security, Information Technology and Privacy teams to gather information about risks related to cybersecurity threats. The ERM assessment is presented to the Board and provides the foundation for the annual Internal Audit plan, management’s monitoring and risk mitigation efforts, and ongoing Board-level oversight. On a quarterly basis, Gap Inc.’s Chief Audit Executive updates the Audit and Finance Committee on the Internal Audit plan and any updates to the Company’s enterprise risk profile, including identified cybersecurity risks.