WEYCO GROUP INC - (WEYS)

10-K Filing Date: March 14, 2024
ITEM 1C CYBERSECURITY

Risk Management and Strategy

We face various cybersecurity risks and threats that could have a material adverse effect on our business, operations, financial performance, liquidity, and reputation. We have implemented processes and systems to identify, assess, and manage these risks and threats, as well as to prevent, detect, and respond to any cybersecurity incidents that may occur, which is integrated into our overall risk management process. We also have a comprehensive cybersecurity strategy, policy, and program that aligns with our business objectives and risk appetite. We regularly review and update our cybersecurity strategy, policy, and program to address the evolving nature and scope of cybersecurity risks and threats. In addition, we consider the cybersecurity practices of our third-party service providers, through a general security assessment and contractual requirements, as appropriate, before engaging them in order to help identify and mitigate cybersecurity risks associated with those providers.

7

We comply with various laws, regulations, standards, and guidance related to cybersecurity, such as the Sarbanes-Oxley Act of 2002, the Payment Card Industry Data Security Standard, the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and the SEC's guidance on cybersecurity disclosures.

During the fiscal year ended December 31, 2023, we did not experience any cybersecurity incidents that materially impacted, or are reasonably likely to materially impact, our business strategy, results of operations or financial condition. Please refer to the risk factors described in this report under Item 1A, “Risk Factors,” for a discussion of the potential impacts of future cybersecurity events.

Our Information Technology (“IT”) security department, led by our Vice President of Information Systems (“IS”) and Distribution and overseen by our Director of IS, holds primary responsibility for assessing and managing cybersecurity threats. Our Vice President of IS and Distribution has more than 34 years of experience in IT and holds a bachelor’s degree in Management of IS; his in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our Director of IS has more than 20 years of experience in various IT and IS roles, and holds a bachelor’s degree in Accounting and Finance.

A team of IT Specialists (including a Cybersecurity Analyst) at our Company is tasked with monitoring cybersecurity and operational risks associated with information security and system disruption. This team employs measures aimed at protecting against, detecting, and responding to cybersecurity threats, and has implemented processes and procedures in line with our information security management system to bolster and advance resilient programs. This encompasses:

Continuously developing and evaluating our program in accordance with the NIST Cybersecurity Framework. This Framework serves as a reference to aid in the identification, assessment, and mitigation of cybersecurity risks pertinent to our business operations.
Engaging third-party IT security vendors to conduct ongoing assessments and monitoring of our networks and devices. Additionally, we routinely collaborate with assessors, consultants, and other third-party entities to review our cybersecurity program. These efforts aim to identify areas requiring sustained attention, enhancement, and alignment with regulatory requirements. Certifications held by our cybersecurity consultants include but are not limited to: CISSP, CISM, CCNP, and CMMC-RP.
Conducting regular cybersecurity awareness training, which is available for all employees during which we provide seminars, presentations, and employee engagement activities designed to reinforce our employee information security training and enhance the culture and knowledge of cybersecurity risks among our employees.

Cybersecurity Governance

Our Audit Committee is provided with regular updates from management concerning cybersecurity developments, significant cybersecurity threats, risks and processes implemented to address these risks. Our Audit Committee receives presentations on cybersecurity topics from management as part of the Committee’s continuing education on topics that impact the Company. Furthermore, management informs the Audit Committee as deemed necessary, about any notable cybersecurity incidents.