Lulu's Fashion Lounge Holdings, Inc. - (LVLU)
10-K Filing Date: March 06, 2024
We have a cross-departmental approach to addressing cybersecurity risk, including input from our Board of Directors (the “Board”), Board committees, employees and third-party experts. The Board, Audit Committee, Technology and Innovation Committee and senior management devote significant resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation. Our information technology (“IT”) team reviews cybersecurity risks periodically, and we have a set of Company-wide policies and procedures concerning cybersecurity matters, including policies related to encryption standards, remote access, multi factor authentication, confidential information, the use of the internet, social media, email and wireless devices and incident response. These policies go through an internal review process by members of management and appropriate Board committees, as applicable.
The Company’s President and Chief Information Officer, who has over a decade of experience leading information and cyber security oversight, is responsible for developing and implementing our information security program, overseeing our IT team and reporting on cybersecurity matters to the Technology and Innovation Committee. We view cybersecurity as a shared responsibility, and we consult with third-party resources and advisors as needed on information security maturity assessments, penetration testing, dark web reviews, best practices to address new challenges, and, when applicable, digital forensics. All employees are required to complete annual information security trainings and have access to more frequent online information security trainings.
We continue to prioritize our investments in IT security, including additional end-user training, using layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting capabilities and engaging experts. We regularly test defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing our operational policies and procedures with third-party experts. At the management level, our IT security team regularly monitors alerts and meets to discuss threat levels, trends and remediation. Further, we conduct periodic external penetration tests, bug bounty hackathons and maturity assessments to assess our processes and procedures and the threat landscape. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, vendors and intellectual property. In addition to assessing our own cybersecurity preparedness, the Audit Committee and the IT security team also consider and evaluate cybersecurity risks associated with use of third-party service providers.
We recently created a new Technology and Innovation Committee of our Board to oversee jointly, alongside the Audit Committee, matters of technology, innovation, cybersecurity and information security. The Technology and Innovation Committee also provides advice and guidance to management on these matters. The Technology and Innovation Committee, Audit Committee and the full Board actively participate in discussions with management and amongst themselves regarding cybersecurity risks. The Technology and Innovation Committee receives quarterly cybersecurity reports, which include a review of key performance indicators, test results and related remediation, and recent threats and how the Company is managing those threats. The Audit Committee oversees cybersecurity disclosures and receives periodic reports from management and the Technology and Innovation Committee. Further, the Technology and Innovation Committee and Audit Committee periodically discuss the Company’s actions to identify and detect threats, as well as its cybersecurity strategic roadmap.
In the fiscal year ended December 31, 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, despite our efforts, we
51