Burlington Stores, Inc. - (BURL)

10-K Filing Date: March 15, 2024
Item 1C.Cybersecurity

Cybersecurity represents an important component of the Company’s overall cross-functional approach to risk management. Our cybersecurity practices are integrated into the Company’s enterprise risk management (“ERM”) approach, and cybersecurity risks are among the core enterprise risks identified for oversight by the Board through our annual ERM assessment. While the Board is ultimately responsible for risk oversight, the Audit Committee oversees the overall review of our policies and procedures with respect to risk assessment and risk management, and has oversight of information technology and security matters, which includes cybersecurity strategies and risks, as well as data privacy and data protection (“Information Security”). The Audit Committee oversees the management of risks from cybersecurity threats, including the policies, processes, and practices that the Company’s management implements to address risks from cybersecurity threats.

On a quarterly basis, our Chief Information Officer reports to the Audit Committee on our Information Security program, including presentations and reports on cybersecurity risks, which address a wide range of topics including, for example, recent developments, security initiatives, vulnerability assessments, the threat environment, technological trends, and information security considerations arising with respect to the Company’s peers and vendors; recent cybersecurity-related developments; strategic activities; and the execution of our cybersecurity awareness training. In turn, the chair of the Audit Committee reports out to the full Board on a quarterly basis regarding these matters, among other matters addressed by the Audit Committee.

Ongoing internal and external cybersecurity assessments are conducted, which include the evaluation of certain tools, procedures, and policies to measure the program’s overall maturity based on the National Institute of Standards and Technology Cybersecurity (“NIST”) Framework and annual compliance with the Payment Card Industry Data Security Standard to protect customer credit card data.

Our cybersecurity program includes:

Vigilance: The Company maintains a cybersecurity threat operation that endeavors to detect, contain and respond to cybersecurity threats and incidents in a prompt and effective manner with the goal of minimizing disruptions to the business.
Partnerships: The Company has established partnerships with a number of third parties, including service providers, to identify and assess cybersecurity risks.
Systems Safeguards: The Company deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, access controls and ongoing vulnerability assessments.
Third-Party Management: The Company maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, such as vendors and service providers. The Company performs due diligence on third parties that have access to our systems, data or facilities that house such systems or data. Additionally, the Company generally requires those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways.
Education: The Company provides periodic awareness training for personnel regarding cybersecurity best practices. Routine security bulletins are sent to personnel throughout the year to enhance awareness of responsibility regarding security risks and we conduct regular phishing exercises. “Security Awareness Month” activities also occur on an annual basis and include sessions with guest speakers, relevant communication, and additional educational opportunities related to security risks.
Incident Response Planning: The Company has established and maintains a written incident response plan that addresses the Company’s response to a cybersecurity incident, and such plan is tested periodically with tabletop exercises.
Communication and Coordination: The Company utilizes a cross-functional approach to address the risk from cybersecurity threats, involving senior management personnel from the technology, operations, legal, risk management, internal audit and other key business functions (the “cybersecurity team”), as well as members of the Company’s Board and the Audit Committee of the Board.
Insurance: The Company carries information security risk insurance that is designed to mitigate against certain potential losses arising from a cybersecurity incident.

 

A key part of the Company’s strategy for managing risks from cybersecurity threats is the ongoing assessment and testing of the Company’s processes and practices through assessments, tabletop exercises and other exercises focused on evaluating effectiveness, including regular network and endpoint monitoring, vulnerability scanning and penetration testing. The Company also engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments and independent reviews of our information security control environment and operating effectiveness. The results of such assessments and reviews are

19

 

reported to the Company’s Chief Information Officer and Audit Committee, and the Company considers adjustments to its cybersecurity processes and practices as appropriate based on the information provided by the third-party assessments and reviews.

The Company’s Chief Information Officer, who has many years of relevant experience, with support from the other members of the cybersecurity team, is the member of the Company’s management that is principally responsible for overseeing the Company’s cybersecurity risk management program. We believe our cybersecurity team has the appropriate expertise, background and depth of experience to manage risks arising from cybersecurity threats.

The Company’s Chief Information Officer, in coordination with the cybersecurity team, works to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to cybersecurity incidents. To facilitate the success of this program, the cybersecurity team addresses cybersecurity threats and responds to cybersecurity incidents in accordance with the Company’s written incident response plan. The Chief Information Officer and cybersecurity team regularly meet to monitor the prevention, detection, mitigation and remediation of cybersecurity incidents, and the Chief Information Officer consults with executive management, including the CEO, to report such incidents to the Audit Committee and the Board and initiate a response to incidents when appropriate.

To date, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are likely to materially affect the Company, including its business strategy, results of operations, or financial condition; however, as further discussed in Item 1A, Risk Factors, if we are unable to protect our information systems against service interruption, misappropriation of data, breaches of security, or other cyber-related attacks, our operations could be disrupted, we may suffer financial losses and our reputation may be damaged.

Back SEC Filing