CONNS INC - (CONN)

10-K Filing Date: April 18, 2024
ITEM 1C. CYBERSECURITY.
Leadership and Governance
Our organization is guided by our Chief Information Security Officer (CISO) who leads our enterprise-wide cybersecurity strategy, compliance, policy, standards, architecture, cyber operations, risk management, governance, and processes. With over 25 years of experience in Information Security, including 14 years as a CISO for several multi-billion-dollar organizations, our CISO brings unparalleled expertise to our security initiatives.
Executive Reporting
Our CISO provides periodic security and risk management updates to executive leadership, the board of directors, and audit committee, ensuring comprehensive awareness and oversight of our security posture. Updates are delivered during quarterly meetings with executive leadership and bi-annual meetings with the audit committee. Topics related to cybersecurity risk, control maturity, incident management, compliance posture, and security improvement initiatives are addressed during these meetings.
Standards and Frameworks
Our cybersecurity program aligns with leading industry standards, including the National Institute of Standards and Technology ("NIST") Cybersecurity Framework. The NIST CSF provides a structured and flexible approach to managing cybersecurity risk, enabling us to effectively identify, protect, detect, respond to, and recover from cyber threats. By adhering to NIST standards, we enhance our resilience and ensure alignment with recognized best practices.
Thought Leadership and Collaboration
We leverage thought leadership from key vendors, business partners, and industry intelligence sources to stay abreast of emerging threats and align with best practices. This collaborative approach enables us to proactively respond to evolving cyber risks while effectively managing risk in line with our organizational risk appetite.
Continuous Monitoring and Response
Our security operations include 24/7 monitoring conducted by a third-party provider in collaboration with internal teams. Conn's has implemented vendor management controls that ensure our service providers practice due diligence and due care when providing professional services to Conn's or managing our data. Additionally, Conn's has implemented risk management processes to monitor for cybersecurity threats associated with vendors who have access to our systems, applications, or data. This proactive approach ensures timely detection and response to cybersecurity threats, minimizing the potential impact on our business operations and financial condition.
Incident Management
As of the date of this Annual Report on Form 10-K, there are no known security threats or incidents that are likely to materially affect our business strategy, operations, or financial condition. We maintain robust incident management processes to swiftly address any security incidents that may arise, mitigating their impact and preserving the integrity of our operations.
In conclusion, our information security program is underpinned by strong leadership, adherence to industry standards, proactive monitoring, and collaboration with internal and external stakeholders. By prioritizing cybersecurity and risk management, we uphold our commitment to safeguarding our assets, maintaining operational resilience, and protecting the interests of our stockholders.