STEVEN MADDEN, LTD. - (SHOO)
10-K Filing Date: March 04, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
The Company employs a comprehensive, cross-departmental approach to continuously assess, identify, and manage potential cybersecurity risks. Our cybersecurity risk management program involves collaboration between our employees, the information technology (“IT”) security team, which is led by our Chief Information Security Officer (“CISO”), the Information Security Steering Committee ("ISSC”), which is chaired by our CISO and comprised of executive and senior representatives from key corporate functions as overseen by the Board of Directors, primarily through the Audit Committee. The Company’s cybersecurity policies, standards, processes, and practices are integrated into the Company’s overall risk management program and we regularly consider cybersecurity risks in the context of material risks to the Company.
Our cybersecurity risk management program categorizes cybersecurity risks into five areas: identify, protect, detect, respond, and recover. We regularly assess the cybersecurity threat landscape, employing a layered cybersecurity strategy that emphasizes prevention, detection, and mitigation through a variety of technical and operational measures. As a part of our cybersecurity risk management program, our information security program is tailored to address identified risks, while aligning with pertinent business requirements.
We foster a shared responsibility for the Company’s cybersecurity with all of our employees, conducting periodic phishing simulation campaigns and providing regular, mandatory cybersecurity training to enhance awareness and readiness against potential cyber threats. Certain roles require additional role-based, specialized cybersecurity training, such as tabletop exercises to ensure proactive preparation and effective coordination in the event of a security incident. We engage a third-party to conduct annual tabletop exercises in order to rehearse our incident response plan, as well as to identify and prioritize opportunities for improvement within our cybersecurity program and associated security controls, through a customized simulation specifically tailored to our current environment, processes, and procedures. To protect our data and information systems, we maintain Company-wide cybersecurity policies and procedures regarding encryption standards, antivirus protection, remote access, multifactor authentication, confidential information, and internet, social media, email, and wireless device usage. Our IT security team reviews and updates such policies and procedures to adapt to evolving cybersecurity landscapes, industry best practices, and regulatory and statutory updates. Our CISO conducts thorough reviews of these updates at least annually to ensure their continued relevance and effectiveness in safeguarding the Company’s assets and business interests.
We continually seek to update our IT security, encompassing end-user training, layered defenses, critical asset identification and protection, enhanced monitoring and alerting, and engagement with third-party experts to evaluate the efficacy of our security measures. We engage reputable third parties to assist in the monitoring, protection, detection, and potential remediation of cybersecurity threats and incidents. We also regularly evaluate cybersecurity risks associated with our
18
use of third-party service providers, conducting an annual review of hosted applications and assessing their cybersecurity preparedness. Risks from cybersecurity threats, including as a result of previous cybersecurity incidents encountered by the Company and known incidents encountered by third parties with a connection to the Company, have not materially affected, and are not currently viewed as reasonably likely to materially affect our Company, including our business strategy, results of operations, or financial condition.
Governance
Management
Our CISO is primarily responsible for the assessment and management of the Company’s material cybersecurity risks and the related cybersecurity risk management policies and procedures. Our CISO oversees our cybersecurity risk management and information security programs and provides quarterly status reports to the ISSC and the Audit Committee. Our CISO possesses over 24 years of experience in various technology, cybersecurity operations, and engineering roles, holds a bachelor’s degree in computer information science and a master’s degree in technology management, earned a CISO Certificate from Carnegie Mellon University, and is ISC2 CISSP certified.
Other key members of management assist our CISO in the oversight of cybersecurity risk management through their membership in the ISSC, which is chaired by our CISO and is comprised of our Chief Executive Officer, Chief Financial Officer, Chief Information Officer, General Counsel, President of Direct-to-Consumer, and Global Digital, Privacy Counsel, and our Vice President of Internal Audit. The ISSC reviews and discusses comprehensive quarterly and annual reports from our CISO and the IT security team in order to provide cooperation, collaboration, and consensus driven information security guidance to the IT department and the Company as whole.
We have also established an Incident Response Team (the “IRT”), which is composed of individuals from our various IT and managerial functions and consults with members of internal departments, as needed, to identify and assess security incidents, including the impact and severity of such incidents. Upon the identification of a security incident, the IRT performs an impact analysis and then determines the appropriate course of action, which may include escalation to the ISSC. Upon consultation with the ISSC and consideration of the relevant risks, the IRT will determine whether the incident should be communicated to the Audit Committee of the Board of Directors.
Board of Directors
The Audit Committee of the Board of Directors has responsibility for oversight of information and cybersecurity risks and assessment of cyber threats and defenses, and it oversees management to ensure that the processes designed, implemented, and maintained with respect to such risks are functioning as intended and adapted when necessary to respond to changes in our strategy, as well as emerging risks. Given the importance of information security and cybersecurity to our stakeholders, our Audit Committee reviews quarterly reports from our CISO regarding the Company’s cybersecurity strategies for mitigating known risks, any newly-identified risks, existing projects, and key performance insights and engages in discussions with management based on such reports and other recent developments.
19