TILE SHOP HOLDINGS, INC. - (TTSH)
10-K Filing Date: February 29, 2024
Like all businesses, the Company faces cybersecurity threats, as the Company is reliant upon information systems and the Internet to conduct its business activities. For example, in connection with payment card sales and other transactions, including bank cards, debit cards, credit cards and other merchant cards, the Company processes and transmits confidential banking and payment card information. Additionally, as part of its normal business activities, the Company collects and stores sensitive personal information related to the Company’s employees, customers, suppliers and other parties. Businesses, including those in our industry, and third parties on which we rely are frequently confronted with a broad range of cybersecurity threats, from uncoordinated, individual
attempts to gain unauthorized access to an organization’s information technology (“IT”) environment to sophisticated and targeted cyberattacks sponsored by foreign governments and criminal enterprises.
Although the Company employs measures to prevent, detect, address, and mitigate these threats, a cybersecurity incident could potentially result in the misappropriation, destruction, corruption, or unavailability of critical data, personally identifiable information, and other confidential or proprietary data (our own or that of third parties) and the disruption of business operations. Any such incidents could compromise the Company’s networks, or those of our vendors, or disrupt the Company’s or our vendors’ critical systems, and the information stored there, such as personally identifiable information or funds, could be accessed, publicly disclosed, lost, corrupted or stolen. Third parties may have the technology and know-how to breach the security of this information, and the Company’s security measures and those of the Company’s banks, merchant card processing and other technology suppliers may not effectively prohibit others from obtaining improper access to this information. The techniques used by criminals to obtain unauthorized access to sensitive data change frequently and often are not recognized until launched against a target; accordingly, the Company may be unable to anticipate these techniques or implement adequate preventative measures.
The potential consequences of a material cybersecurity incident include remediation and restoration costs, reputational damage, and litigation with third parties, which in turn could adversely affect our competitiveness and results of operations. Accordingly, cybersecurity is an important part of the Company’s enterprise risk management program, and the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach.
The Company’s cybersecurity policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats and responding to cybersecurity incidents are integrated into the Company’s risk management program and are based on recognized frameworks established by the National Institute of Standards and Technology and other applicable industry standards. The Company has established controls and procedures, including an Incident Response Plan, that provide for the identification, analysis, notification, escalation, communication, and remediation of data security incidents at appropriate levels so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. The Company has also established a process to validate the aforementioned controls are in place and the results are being reviewed as a part of the overall company risk assessment. The Company’s Incident Response Plan (i) is designed to identify and detect information security threats through various mechanisms, such as through security controls and third-party disclosures, and (ii) sets forth a process to (a) analyze any such threats detected within the Company’s IT environment or within a third-party’s IT environment, (b) contain cybersecurity threats under various circumstances, and (c) better ensure the Company can recover from cybersecurity incidents to a normal state of business operations. The Company has established and maintains other incident response and recovery plans that address the Company’s response to a cybersecurity incident.
The Company has cybersecurity insurance (subject to specified retentions or deductibles) related to a cybersecurity incident that addresses costs, losses, and expenses related to cybersecurity investigations, crisis management, notification processes and credit monitoring services, public relations, and legal advice. However, damages, fines and claims arising from such incidents may not be covered or may exceed the amount of any insurance available or may not be insurable.
As part of its cybersecurity program, the Company deploys measures to deter, prevent, detect, respond to and mitigate cybersecurity threats, including firewalls, anti-malware, extended detection and response systems, identity and access controls, strong password controls, multi-factor authentication, software patching protocols, and physical security measures. The Company periodically assesses and tests the Company’s policies, standards, processes, and practices that are designed to address cybersecurity threats and incidents, including by assessing current threat intelligence, conducting tabletop exercises, vulnerability scanning, and performing external penetration testing. The Company has a process to report material results of such testing and assessments to the Board, and periodically adjusts the Company’s cybersecurity program based on these exercises. The Company engages third parties to oversee and conduct part of such testing, as well as perform external audits of security protocols and capabilities. The Company seeks to identify and oversee cybersecurity risks presented by third parties and their systems from a risk-based perspective by identifying critical vendors (defined based on capabilities provided and investments required) and reviewing software patching, upgrades and associated changes required to reduce risk. The Company also conducts cybersecurity training for employees, including mandatory training programs for system users. The Company’s training programs require employees to complete a knowledge check prior to completion of the program. Completion of the Company’s training programs is monitored by management.
Many of the Company’s IT systems operate with a hosted architecture or by third-party service providers, and if these third-party IT environments fail to operate properly, our systems could stop functioning for a period of time, which could put our users at risk. Accordingly, we are dependent on the operations of IT service providers. Our vendor management process, which includes due diligence steps prior to selecting third party service providers, is an important part of our risk mitigation strategy. In particular, we require ISO and other security compliance for all critical vendors by contract. Additionally, the Company monitors risks from cybersecurity threats associated with the user of third-party service providers and will audit critical vendors for compliance, as appropriate. Notwithstanding, if there is a catastrophic event, such as a natural disaster or other adverse weather condition, terrorist attack, security breach, or other extraordinary event, the Company, and our service providers, may be unable to operate business as usual, or at all, for the duration of the event and/or a time thereafter.
Considering the pervasive and increasing threat from cyberattacks, the Board and the Audit Committee, with input from management, assess the Company’s cybersecurity threats and the measures implemented by the Company in an effort to mitigate and prevent cyberattacks. The Audit Committee consults with management regarding ongoing cybersecurity initiatives and requests management report to the Audit Committee or the full Board regularly on their assessment of the Company’s cybersecurity program and risks. Both the Audit Committee and the full Board receive quarterly reports from the Chief Information Officer on cybersecurity risks and timely reports regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. Our Board has risk management experience, including members with experience in overseeing teams responsible for data security and cybersecurity and assessing technology-related risks and development of risk mitigation strategies.
In addition, the Company’s information security/cybersecurity program is managed by the Director of Infrastructure and Security, who is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. The Director of Infrastructure and Security and Chief Information Officer provide periodic reports to our Board and Audit Committee as well as our Chief Executive Officer and other members of our senior management as appropriate. We have also established cross-functional teams to collaborate and communicate on cybersecurity-related issues. The reports to management include updates on the Company’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape. The Incident Response Team, which includes the Chief Information Officer, Director of Infrastructure and Security, Chief Finance Officer and key operational leaders, is regularly engaged to discuss cybersecurity risks and to review the Company’s preparations for any security events. The Incident Response Team will notify the Board of Directors of any critical events as defined in the Incident Response Plan. Additionally, the Chief Information Officer regularly engages the Board representative with cybersecurity experience to identify Board-level needs for education and communication.
The Chief Information Officer holds an undergraduate degree in computer science and has served in various roles in information technology for over 30 years, including serving as a senior technology leader or Chief Information Officer of two public companies and two private equity-owned firms. The Chief Information Officer and Chief Financial Officer have prior experience supporting organizations that have experienced cybersecurity events and continue to learn more about the current trends and risks by partnering with third parties.
While the Company faces a number of cybersecurity risks in connection with its business, as of the date of this report, the Company is not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition.