Citi Trends Inc - (CTRN)

10-K Filing Date: April 18, 2024
ITEM 1C.CYBERSECURITY

Risk Management and Strategy

Cybersecurity is an important component of our overall approach to risk management. We have implemented cybersecurity processes, technologies and controls to facilitate our efforts to identify, assess and manage material risks from cybersecurity threats. We leverage industry associations, third-party benchmarking, results from internal and third-party testing, and other similar resources to inform our cybersecurity programs and processes. We also adhere to applicable Payment Card Industry Data Security Standards. We have prioritized improving our cyber security posture to safeguard our systems and mitigate risks. During fiscal 2023, we made significant investments in people and technology to detect, respond, and recover from security incidents. We have developed and are executing our cybersecurity roadmap which provides the framework to continually strengthen our capabilities.

Our cybersecurity programs include physical, administrative and technical safeguards designed to help us detect and prevent cybersecurity threats and incidents. We monitor our cybersecurity programs and processes through assessments focused on evaluating effectiveness, including regular network and endpoint monitoring, vulnerability scanning and penetration testing. In addition, we have engaged third parties to perform reviews of our information security control environment, and to provide expertise on various cybersecurity programs and issues. During fiscal 2023, we partnered with an external cyber security firm to leverage their expertise and guidance in fortifying our systems from evolving threats. We also have third-party risk management processes in place used to address the risks involved with engaging third parties in our cybersecurity programs. Our cybersecurity team has established a written incident response plan in the event of an incident. We do not retain any sensitive customer data on our systems.

We provide routine awareness training for associates regarding cybersecurity best practices and their role in protecting the Company from cybersecurity attacks and testing to measure the effectiveness of our information security program.

As previously disclosed, we experienced a cybersecurity disruption at the end of Fiscal 2022, which did not result in a material impact to our business strategy, results of operations or financial condition. We have not experienced any material cybersecurity incidents in Fiscal 2023, and as of the date of this Report, we have not identified any material risks from active cybersecurity threats, including as a result of any prior cybersecurity incidents. However, despite our security measures, there can be no assurance that our cybersecurity risk management processes described will be fully implemented, complied with or effective in protecting our systems and information. While we maintain insurance to mitigate potential losses from a cybersecurity incident, such insurance may be insufficient to cover all losses or all types of claims that may arise. See Item 1A. Risk Factors in this Report for a discussion of whether and how risks from identified cybersecurity threats have materially affected or, if realized, are reasonably likely to materially affect our business strategy, results of operations or financial condition.

Governance

Managements Role

Management is responsible for implementing our cybersecurity program on an ongoing basis to identify, assess and manage cybersecurity risks. Our cybersecurity program is led by our Vice President of Information Systems with support from our Senior Manager of IT Security & Compliance and various other team members. Our Vice President of Information Systems has over 25 years of industry experience, including more than 10 years as the leader of the Companys technology function. On a bi-annual basis, or more frequently as needed, management informs the audit committee of material aspects of our cybersecurity program, including updates on key strategic and operational goals, assessments of cybersecurity risks, updates to any incidents, and the status of our ongoing investments in cybersecurity governance.

Board Oversight

Our board of directors considers cybersecurity risk as part of its risk oversight function. Our audit committee oversees managements policies, programs and procedures related to cybersecurity risk management and reports to the board regarding these efforts. In addition, the audit committee receives briefings from management bi-annually, or more frequently as needed, on material aspects of our cybersecurity program.

21