Savers Value Village, Inc. - (SVV)

10-K Filing Date: March 08, 2024
Item 1C. Cybersecurity Risk Management, Strategy and Governance
Risk Management Strategy
Savers is committed to maintaining a cybersecurity risk management strategy that encompasses assessments, monitoring, and proactive measures to safeguard our assets and operations. Our approach involves a combination of internal and external risk assessments, monitoring, vulnerability scanning and remediation, external penetration testing and disaster recovery planning.
On an annual basis, we conduct internal and external risk assessments to identify, evaluate, and prioritize potential risks to our business operations, data, and information systems. These assessments utilize industry-standard methodologies and frameworks to evaluate emerging threats and vulnerabilities. Specifically, we align our efforts with the National Institute of Standards and Technology framework, the Center for Internet Security (CIS) Controls 8.0 version and the Payment Card Industry Data Security Standard (PCI DSS) framework. Identified risks are categorized and assessed for potential impact, allowing us to implement targeted mitigation strategies.
Continuous monitoring is a fundamental component of our risk management strategy. We employ appropriate technologies and tools to monitor our network, systems, and applications. This proactive approach supports our efforts to detect and respond to anomalies, potential threats, and emerging vulnerabilities. Our dedicated cybersecurity team conducts regular reviews of security logs and alerts, facilitating a swift and effective response to any deviations from established security baselines. We have also implemented a comprehensive third-party risk management program that includes a review of the third-party’s SOC I and II reports and their Service Level Agreements to ensure their security practices align with our standards.
We employ regular vulnerability scanning processes to identify weaknesses and potential points of exploitation within our infrastructure. Following the identification of vulnerabilities, a systematic remediation process is initiated. Our activities to mitigate vulnerabilities on an ongoing basis include the application of patches and updates, and the implementation of compensating controls to address and mitigate the identified vulnerabilities. Our goal is to maintain a proactive stance in eliminating potential entry points for cyber threats.
53

As part of our commitment to maintaining a robust security posture, we engage in annual external penetration testing conducted by reputable third-party security firms. These tests simulate real-world cyber-attacks to evaluate the effectiveness of our defenses and identify areas for improvement. The insights gained from penetration testing inform our ongoing security enhancements, aiding the resiliency of our systems against evolving cyber threats.
We also have deployed a Disaster Recovery as a Service solution (DRaaS) that will enhance our ability to recover and restore data in the event of a cybersecurity incident or other event, such as a natural disaster. Our systems and data are categorized into tiers, with our most critical systems covered by appropriate backup approaches and rapid recovery tools/processes matched with their criticality.
Cybersecurity Risks
In 2020, we suffered a ransomware incident associated with a well-known threat actor. While personnel time and attendance data was encrypted and unrecoverable, no evidence of unauthorized access of personal or business-related information was found, and our IT Security team immediately blocked the point of entry. Post-incident, Savers undertook a comprehensive review, identifying areas of vulnerability. Controls were systematically implemented, including appropriate backup approaches and regular testing of their effectiveness, proactive security monitoring tools and processes, and the expansion of our cybersecurity team and activities. Our continued ransomware mitigation strategies focus on resiliency, rapid recovery, and automated isolation of potentially affected assets.
Other than the 2020 incident discussed above, we have no reason to believe any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. For additional information, see “Risks Relating to Information Technology, Intellectual Property, Data Security and Privacy,” in Item 1A, “Risk Factors” in this Annual Report.
Governance
Our Board, directly and through the Audit Committee, provides oversight of our operational risk management process and compliance with legal and regulatory requirements. As one of its responsibilities, the Audit Committee has the responsibility to review and discuss with management and the internal audit group all major financial risk exposures and management’s risk assessment and risk management policies. Further, the Audit Committee has specific oversight of risks related to data privacy and information security, including compliance with applicable laws and management’s response to material cybersecurity and privacy incidents or breaches. As part of its responsibilities, the Audit Committee periodically reviews with management the Company’s capabilities, policies, controls, methods and procedures related to (i) identifying, assessing and mitigating information and cybersecurity risks, (ii) disaster recovery and business continuity and (iii) compliance with data privacy and information security laws.
Regularly scheduled Audit Committee meetings include an information technology and cybersecurity update as a standing agenda item. These updates are typically given by our Chief Information Officer (CIO) and can include additional team members from our information technology and security team. In addition, the Audit Committee also receives periodic updates from our Enterprise Risk Committee, a management committee which provides oversight to the anticipation, identification, prioritization, and management of the Company’s material risks. The Audit Committee regularly reports to the Board on its oversight of these topics. In addition, both the Audit Committee and the Board receive special presentations about risk areas as needed.
The Company also maintains a Crisis Response Plan, which may be activated in the event of certain cybersecurity incidents. Our Crisis Response Plan includes specific procedures and considerations for cybersecurity and ransomware incidents, including involvement of our executive team and outside advisors and required reporting to the Audit Committee and Board. Typically, our Chief Compliance Officer (CCO) would lead management of a crisis incident.
Our CIO has primary responsibility for assessing and managing cybersecurity risks. The CIO reports directly to the CEO and is a member of the Enterprise Risk Committee. Our current CIO is an experienced senior technology executive with over 30 years of IT experience, including several CIO roles in leading retail and direct marketing organizations. Our CCO, who is also our General Counsel, is responsible for maintaining our Crisis Response Plan. The CCO reports directly to the CEO, is a member of the Enterprise Risk Committee and also oversees the Company’s risk department. Our CCO has navigated the Company through multiple complex situations and also led the Company’s response in its 2020 ransomware attack discussed above.
54