Fossil Group, Inc. - (FOSL)

10-K Filing Date: March 13, 2024
Item 1C. Cybersecurity
Risk Management and Strategy

We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property and data related to our customers, consumers and employees. Our cybersecurity risk management program leverages the National Institute of Standards and Technology Cyber Security Framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. Our cyber security team regularly reviews enterprise risk management-level cybersecurity risks, and key cybersecurity risks are incorporated into our Enterprise Risk Management program. In addition, we have a set of Company-wide policies and procedures concerning cybersecurity matters, which include cyber security guidelines as well as other policies that directly or indirectly relate to cybersecurity, such as policies related to encryption standards, antivirus protection, remote access, multi factor authentication, confidential information and the use of the Internet, social media, email and wireless devices.

Our Chief Information Security Officer ("CISO"), our information security team, and third-party service providers help identify, assess, and manage our cybersecurity threats and risks, including through the use of our cybersecurity risk assessment program. Our CISO along with this team, as applicable, identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile using various methods, including automated and manual tools, third-party threat feeds, internal audits, access control assessments, and evaluating threats reported to us by various third-party enterprise threat reporting services.

As part of our cybersecurity program, we regularly test our cyber defenses by performing simulations and drills at a technical level with third-party experts, internal user susceptibility testing and reviewing our operational policies and procedures. Our cyber security team monitors alerts and meets to discuss threat levels, risk ranking, trends and remediation. Further, we conduct regular external penetration tests, red team testing and maturity testing to assess our processes and procedures and the threat landscape. We conduct security assessments on additions and changes to our systems and applications including third-party service providers. In addition, our Audit Services group conducts periodic reviews of cyber security controls, procedures, and applications and monitors remediation activities. Our assessment of risks associated with use of third-party providers is part of our overall cybersecurity risk management framework.

We face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to and breaches of our data and systems, including malware and computer virus attacks. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including "Any material disruption of our information systems could disrupt our business and reduce our sales" and “A data security or privacy breach could damage our reputation, harm our customer relationships, expose us to litigation or government actions, and result in a material adverse effect to our business, financial condition and results of operations.”

Governance

Our Board of Directors addresses our cybersecurity risk management as part of its general oversight function and has delegated to our Audit Committee responsibility for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.

The CISO is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Audit Committee of the Board. Our CISO has two decades of experience leading cyber security oversight with ten years in a multinational company environment. Members of the security team have cybersecurity experience and certifications, such as the Certified Information Systems Security Professional certification. We regularly conduct training and/or simulations to ensure employees are aware of current cyber threats. Additionally, tabletop exercises at a management level incorporate external advisors. All employees are required to complete cybersecurity training annually. We also require employees in certain roles to complete additional role-based, specialized cybersecurity training.

Our cybersecurity incident response process is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances including our CISO, our Chief Financial Officer and our General Counsel. In addition, our incident response process includes reporting to the Audit Committee for certain cybersecurity incidents.

The Audit Committee receives reports quarterly from our CISO concerning our significant cybersecurity threats and risk and the processes we have implemented to address them. Our Board of Directors also receives periodic reports from our CISO or Audit Committee regarding our overall cybersecurity program.

32