Risk Management and Strategy

Overview

At its core, our cybersecurity program is the collection of people, processes and technologies that are designed to protect our networks, computers and data from attack, damage, or unauthorized access. The cybersecurity program is also part of a broader cybersecurity framework, which involves how we assess and manage cybersecurity threat risks and how this integrates into our overall risk management framework. While the foregoing summary is specific to our North America business operations we believe that the cybersecurity programs of our International business operations are consistent with the approach and framework outlined below and are appropriate for the scope and scale of their operations.

The Security and Compliance Team, within our IT department, takes the lead role in helping to ensure that we maintain comprehensive technologies and programs to ensure our systems are effective and prepared for cybersecurity risks. The Security and Compliance Team is led by the Security and Compliance Program Manager and consists of a Lead Security Engineer and a Security Analyst. The Security and Compliance Team works very closely with our team across the IT department and with several different third parties who provide expertise in different areas such as threat hunting and penetration testing.

Objectives and Key Principles and Priorities

The objective of the Security and Compliance Team is to build practices within the company to define, implement, enforce, and measure our security, compliance and disaster recovery readiness. In doing so, it utilizes some of the following key guiding principles and priorities:

On a day-to-day basis and from a project perspective, the Security and Compliance Team undertakes the following activities:

Framework for Cybersecurity Controls

We have implemented risk-based controls to protect our networks, computers and data. To this end, we utilize the Center for Internet Security (CIS) version 8.0 framework, which is comprised of eighteen critical security controls. The CIS framework is based on the COSO (Committee of Sponsoring Organizations on the Treadway Commission) and NIST (National Institute of Standards and Technology) frameworks and provides a highly actionable way to implement those frameworks and maps directly to other compliance requirements relevant to us, including PCI compliance and SOX controls (briefly discussed above).

Use of Third Parties

We work with a third party that provides us with threat hunting services via an Endpoint Detection and Response (EDR) platform. This team proactively searches for newly uncovered threats based on up-to-the-minute intelligence on the cybersecurity threat landscape and their knowledge of the Zumiez environment. Upon discovery of a potential threat, the threat hunting team provides initial remediation guidance.

We also conduct periodic penetration testing of our systems. This testing is performed by a qualified third-party testing company and is in alignment with our CIS controls. Penetration testing is meant to provide us with information on the security of a particular system or application. These findings then can be used by us to inform remediation work on a go-forward basis.

Cybersecurity Insurance.

We maintain what we believe are appropriate levels of cybersecurity insurance that covers settlements, judgments and defense costs arising out of a failure of network security, a privacy breach, media liability, business income loss resulting from a cyber event and for cyber extortion coverage. This cybersecurity insurance coverage also provides for the following breach response services in connection with incidents involving the theft, loss or unauthorized disclosure of third-party information and computer system security breaches:

Cybersecurity Incident Response Plan

We have a Cybersecurity Incident Response Plan which is maintained by the Security and Compliance Team. The Incident Response Plan establishes what people and organizations need to be engaged in the event of a significant

incident. The Incident Response Plan also provides templates for technical resolution, documentation and communication to internal stakeholders as well as insurers and governmental and other regulatory agencies.

Risk Mitigation

We also manage cybersecurity risk by limiting our threat landscape. For example, as an omni-channel retailer, we accept credit and debit cards via all sales channels and protecting cardholder data is a critical component of our security practices. Accordingly, PCI compliance (discussed briefly above) is very important and we engage an external qualified assessor to audit our compliance and to provide us with a report on compliance that is also shared with various payment providers. To help reduce our exposure to unauthorized access of cardholder data, we have utilized a strategy of minimizing or eliminating the storage of, and unencrypted transmission of, cardholder information across our various systems.

Moreover, our businesses do not involve or represent national infrastructure, the likes of which are common targets of cyber attackers (e.g., energy, oil & gas, transportation, communications, banking and financial systems, etc.). We recognize that cyber threats are a permanent part of the risk landscape and that new threats are constantly evolving. For these and other reasons, cybersecurity is a top risk management priority at Zumiez.

Like many companies, we face a number of cybersecurity risks in the day-to-day operation of our business. Although to date these risks have not materialized into any instances or series of instances that have had a material adverse effect on our business or otherwise caused material harm to the company, we have, on occasion, experienced cybersecurity threats to our data and information systems, including phishing attacks. For more information about the cybersecurity risks we face, see the risk factor entitled "If we fail to meet the requirements to adequately maintain the privacy and security of personal data and business information, we may be subject to adverse publicity, litigation and significant expenses” in Item 1A Risk Factors.

Governance

As discussed above, the Security and Compliance team takes a lead role in helping to ensure that we maintain comprehensive technologies and programs to ensure our systems are effective and prepared for cybersecurity risks. This team is supported by our Zumiez North America Cybersecurity Team, which consists of the Security and Compliance Program Manager, the Director of Infrastructure IT, the Vice President of IT, the Chief Financial Officer and the Chief Legal Officer. Additional support and guidance are provided by the Zumiez North America IT Steering Committee, which consists of the Chief Financial Officer, Chief Legal Officer, the Executive Vice President of North American Consumer Teams, the Vice President of IT, the Director of Infrastructure IT and the Senior Program Manager of Digital Commerce. Together, the Zumiez North America Cybersecurity Team and the Zumiez North America IT Steering Committee provide guidance and oversight to the Security and Compliance Team in alignment with the company’s overall risk management and oversight framework.

Members of management, including our Chief Legal Officer, regularly report on the company’s cybersecurity matters to our board’s Audit Committee. The Audit Committee has been assigned the responsibility for reviewing and discussing with management the company’s major operational, legal and regulatory risks, including data security and privacy and the company’s policies to identify and manage cybersecurity risks.

In order to inform the Audit Committee of the planning and execution of our cybersecurity program, several different reports are provided from management.

Annual Cybersecurity Plan. This plan is provided for the first quarter Audit Committee meeting and outlines the cybersecurity related strategic initiatives for the fiscal year. It outlines any new investments and projects and their alignment with the cybersecurity framework, as well as the expected timelines for the implementation of these activities.

Quarterly Cybersecurity Memos. At the 2nd, 3rd and 4thquarter Audit Committee meetings, an update memo is provided to the Audit Committee that details the progress against the Annual Cybersecurity Plan, any updates on PCI compliance and SOX compliance activities and any emerging threats. The memo also contains a summary of significant cybersecurity threats over the past quarter both within our ecosystem and outside our ecosystem and any impact (if any) they may have had upon the company.

Internal Audit Reports. Our internal audit function’s reviews of our information security programs and controls are included in quarterly reports to the Audit Committee.

The cybersecurity program and related risks are also discussed with the full Board of Directors as part of the review and discussions around the topic of risk management and the risk oversight framework that generally take place at the 3rd quarter Board of Directors meeting.

Any potentially significant information security issues that arise during the year are discussed with management and captured in our disclosure controls and procedures and are discussed with our Audit Committee chair between board meetings as appropriate.