AMERICAN EAGLE OUTFITTERS INC - (AEO)
10-K Filing Date: March 15, 2024
Risk Management and Strategy
The Board as a whole has the responsibility for the Company’s risk oversight and management, which includes a focus on cybersecurity risks. To oversee cybersecurity risk at the management level, we employ a Chief Information Security Officer (“CISO”) whose team is responsible for leading our company-wide cybersecurity strategies, policies, standards, architectures, operations, and processes. We have established an Information Security Program, which is integrated into our overall enterprise risk management system and processes, to assess, identify, and manage material risks from cybersecurity threats. This program is based and built upon, informed by and responsive to industry best practice frameworks such as ISO, NIST, and the Payment Card Industry Data Security Standard. Our program undergoes an internal annual review, conducted by our CISO and internal auditors, as well as third party external review. Additionally, we are a member of an industry cybersecurity intelligence and risk-sharing organization, which enables us to stay informed about developments, trends, and risks in the cybersecurity threat landscape.
As an important component of our overall cybersecurity strategy, we leverage a diverse array of third-party cybersecurity vendors and security firms in different capacities to implement or operate various aspects of our Information Security Program. Such third parties include a managed security service provider who conducts 24/7/365 “eyes-on-glass” cybersecurity monitoring and alerting. We also engage independent security professionals from industry leading firms to perform penetration testing and other security testing and have an array of external experts on retainer (including but not limited to cybersecurity breach counsel, experts in incident response, cyber forensics, and threat intelligence). Additionally, we collaborate with various cybersecurity vendors to conduct annual tabletop exercises and trainings to help fortify our Information Security Program. Our associates are our first line of defense; therefore, we and our third-party cybersecurity vendors educate them on how to make good, sound security decisions through annual security awareness training, quarterly phishing exercises, and various security refreshers and reminders throughout the year.
The vendor risk management program is built upon, informed by and responsive to industry best practices, incorporating methodologies such as Standardized Information Gathering (SIG), third-party cyber/privacy attestations (e.g., Systems and Organization Controls (SOC), ISO 27001, and HITRUST), penetration tests conducted by independent security professionals, and integrating appropriate cybersecurity language into legal contracts. This program is designed to conduct appropriate due diligence upon onboarding third-party vendors.
Board Governance and Management
The CISO and designated direct reports meet with our Chief Technology Officer and Chief Information Officer on a regular basis to discuss pertinent risks, mitigation factors, remediation status, and risk acceptance. Our CISO also serves as our Vice President of Information Security, Disaster Recovery, and Asset Management. He has decades of experience across information technology, information security, and disaster recovery and has received relevant certifications including Certified Information System Auditor (CISA), GIAC Certified Intrusion Analyst (GCIA), GIAC Certified Incident Handler (GCIH), and GIAC Certified Forensic Analyst (GCFA).
25
Our CISO helps ensure the confidentiality, integrity, and availability of information that we possess through our Cyber Incident Response Plan (“CIRP”). We have assembled a cross-functional Incident Response Team with representation from a multitude of internal teams along with an array of third-party experts having specialized skills to support all aspects of incident response, recovery, and reporting. The CIRP outlines processes to evaluate and respond to various cybersecurity threats, assess the severity of potential and actual incidents and their impacts, and procedures around who should be notified and involved in the Company’s responses thereto. For example, cybersecurity incidents that surpass a certain level of severity require updates to executive leadership and our Board. The CIRP is reviewed annually and has been reviewed by industry-leading incident response providers, internal/external auditors, and others. The CIRP is tested annually at a minimum through tabletop exercises facilitated by an outside expert. These proactive exercises are of paramount importance in helping to refine and optimize our incident response capabilities and minimize the impact of any cybersecurity incident.
Additionally, we have established a Cyber Incident Materiality Assessment Committee (“C-MAC”) that is primarily responsible for conducting a materiality assessment of cybersecurity incidents and determining whether it is material for disclosure and reporting purposes in accordance with applicable rules and regulations. This assessment and determination are separate and distinct from evaluating the cyber severity of an incident, which remains within the purview of the CIRP. The C-MAC is composed of various cross-functional senior members of management, including our Chief Financial Officer, Controller and Chief Accounting Officer, Chief Technology Officer, General Counsel and Chief Compliance Officer, CISO, Senior Vice President of Corporate Communications and Investor Relations, Vice President of Internal Audit, Senior Director of Tax and certain key outside advisors. The C-MAC will coordinate with our Disclosure Committee in connection with any requisite disclosures.
The Audit Committee receives regular reports from the CISO on pertinent cyber risks exposures, the status of projects designed to fortify our Information Security Program, metrics on the effectiveness of this program, and the emerging threats in this area. Cyber insurance coverage is reviewed annually with the Audit Committee, as part of our overall risk management process. Furthermore, on at least a quarterly basis or more often as needed, the CISO provides pertinent cybersecurity risk exposures and updates along with various other business units as part of the enterprise risk management report to the Audit Committee. The Audit Committee is responsible for the review and assessment of cybersecurity risk exposures and the steps taken to monitor and control those exposures. Our senior officers have ongoing engagement with the Audit Committee on cybersecurity issues.
Although the risks from cybersecurity threats have not materially affected our business strategy, results of operations, or financial condition to date, they may in the future, and we continue to closely monitor cyber risk. Overall, the Company has implemented tactical processes for assessing, identifying, and managing material risks from cybersecurity threats to the company including governance at the Board level and accountability in our executive management for the execution of our cyber risk management strategy and the controls designed to protect our operations. See “Risk Factors—Operational Risks” in Part I, Item 1A of this Annual Report, which should be read in conjunction with this Item 1C, for additional information regarding the Company’s cybersecurity risks.