Arhaus, Inc. - (ARHS)
10-K Filing Date: March 11, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We are regularly subject to cyberattacks and other cybersecurity incidents. In response, we evaluate and implement cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage cybersecurity risks. Our management team collaborates with our Information Security function, led by our Chief Information Officer (“CIO”) to gather insights for assessing, identifying and managing cybersecurity threat risks, their severity, and potential mitigations.
We assess our information security program against the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This program includes policies, processes and procedures to help assess and identify our cybersecurity risks and inform how security measures and controls are developed, implemented and maintained. Such risk assessments along with risk-based analysis and judgment are used to select security controls to address risks. During this process, the following factors, among others, are considered: likelihood and severity of risk, impact on the Company and others if a risk materializes, feasibility and cost of controls and impact of controls on operations.
We consult with outside advisors and experts to assist with assessing, identifying, and managing cybersecurity risks, including to anticipate future threats and trends, and their impact on the Company’s risk environment. In addition, we continue to expand training and awareness practices to mitigate risk from human error, including mandatory computer-based training and internal communications for employees. Our employees undergo cybersecurity awareness training and regular phishing awareness campaigns that are based upon and designed to emulate real-world contemporary threats. We provide prompt feedback (and, if necessary, additional training or remedial action) based on the results of such exercises. Our processes also considers cybersecurity risks associated with our use of third-party service providers including suppliers, software and cloud-based service providers during contracting and vendor selection processes.
In addition to the processes, technologies, and controls that we have in place to reduce the likelihood of a material cybersecurity incident (or series of related cybersecurity incidents), the Company has a written incident response plan outlining how to address cybersecurity events that occur. The plan sets forth the steps for coordination among various corporate functions and governance groups and serves as a framework for the execution of responsibilities across businesses and operational roles. Our incident response plan is designed to help us coordinate actions to prepare for, detect, respond to and recover from cybersecurity incidents, and includes processes to triage, assess severity, escalate, contain, investigate, and remediate the incident, as well as to assess the need for disclosure, comply with applicable legal obligations and mitigate the impact to our brand and reputation and on impacted parties. We also maintain insurance coverage that, subject to its terms and conditions, is intended to help us cover certain costs associated with cybersecurity incidents and information system failures.
The Company (or the third parties it relies on) may not be able to fully, continuously, or effectively design and implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine whether and how to implement certain security controls and it is possible that we may not implement the necessary controls if we are unable to recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate cybersecurity risks. Cybersecurity events, when detected by security tools or third parties, may not always be identified immediately or addressed in the manner intended by our cybersecurity incident response plan.
Impact of cybersecurity risks on business strategy, results of operations or financial condition
Based on the information available as of the date of this Form 10-K, we have no reason to believe any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. For additional information, see Item 1A, “Risk Factors” in this Form 10-K.
Cybersecurity Governance
Our cybersecurity risk management and strategy processes are led by our CIO. Our cybersecurity team has experience in various roles across multiple industries involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and managing multiple industry and regulatory compliance environments.
42
Cybersecurity is an important part of our overall risk management processes and the Audit Committee of our Board of Directors has primary oversight responsibility for the Company’s cybersecurity and other technology risks. The Committee reviews and discusses with management our cybersecurity, privacy and data security programs, the status of projects to strengthen internal systems and any significant cybersecurity incidents, including recent incidents at other companies and the emerging threat landscape. The Committee also reviews with management the implementation and effectiveness of the Company’s controls to monitor and mitigate cybersecurity risks. In addition, our Board receives periodic updates regarding our cybersecurity program.