CARTERS INC - (CRI)

10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
To effectively assess, identify, and manage material risks from cybersecurity threats, the Company maintains a cyber risk management program, which is led by our Chief Information Security Officer and Vice President of Infrastructure Services and Supply Chain Systems (the “CISO”). The CISO reports to the Senior Vice President and Chief Information Officer (the “CIO”), who in turn reports to the CFO.
The Company has implemented the following processes to assess, identify, and manage material risks from cybersecurity threats:
Annual assessments, by an independent third party, of the Company’s cybersecurity framework under the National Institute for Standards and Technology (“NIST”) cybersecurity framework;
Penetration tests conducted by a third-party;
Simulation of attacks on the Company’s systems by third-parties to test the Company’s systems and protections;
“Table-top” simulation exercises involving the Company’s management and its third-party consultants and advisors to simulate a cyber incident and the Company’s response to that incident, pursuant to the Company’s Incident Response Plan; and
Payment card industry (“PCI”) audits to assess the Company’s processing of credit card transactions pursuant to standards adopted by the PCI.
In addition, to mitigate material risks from cybersecurity threats, the Company has implemented various controls, including, but not limited to, the following:
Intrusion prevention controls (such as network segmentation and firewalls);
Access controls (such as identity and access management and multi-factor authentication on critical applications and systems);
Detection controls (such as endpoint threat detection and response, and logging and monitoring involving the use of a third-party for security information and event management, with reports and alerts provided by the third-party to the CISO’s team); and
Threat protection controls (such as mandatory cyber-threat training and simulated phishing campaigns with employees, vendor management programs, and vulnerability and patch management).
The Company has integrated its processes for assessing, identifying, and managing material risks from cybersecurity threats into its overall risk management framework, including through coordination with the Company’s internal leader of Enterprise Risk Management, and through quarterly reporting to the Company’s Audit Committee. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition, except as disclosed in the risk factor titled “Our systems, and those of our third-party vendors, contain personal information and payment data of our retail store and eCommerce customers, and other third parties could be breached, which could subject us to adverse publicity, costly government enforcement actions or private litigation, and expenses” in Part I, Item 1A, “Risk Factors”.
The Company has also implemented processes for overseeing and identifying risks from cybersecurity threats associated with its use of third-party service providers. For example, the Company has implemented the following:
Vendor onboarding processes including a Privacy Impact Assessment and a Cyber Security and Compliance Questionnaire; and
Enrollment of each vendor in a third-party risk monitoring tool that alerts the CISO’s team should that vendor’s security posture change.
26


Governance
The Audit Committee of the Board of Directors oversees risks from cybersecurity threats, including through quarterly reports to the Audit Committee by the Company’s CISO and CIO and, as needed, special reports to the Audit Committee and/or the Chairperson of the Audit Committee. The Audit Committee includes members with technology and cybersecurity experience and certifications, including a Committee member with over 28 years of experience working for Hewlett Packard Enterprise Company and a Committee member with a Computer Emergency Readiness Team (“CERT”) Certificate in Cybersecurity Oversight issued by the CERT Division of the Software Engineering Institute at Carnegie Mellon University and completion of the National Association of Corporate Directors Master Course in Cybersecurity.
Management plays an integral role in assessing and managing the Company’s material risk from cybersecurity risks. The assessment and management of those risks is led by the Company’s CISO, who has over 20 years of experience working in information technology, including over 10 years specifically focused on information security, infrastructure, and strategy, and the Company’s CIO, who has over 25 years of experience in Retail, Consumer Products, Merchandising, Supply Chain and IT, of which 15 years have been in leadership roles, and implemented by the CISO’s team, who are responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, processes and operations. The CISO and CIO lead quarterly meetings of the Company’s Security Executive Steering Committee (the “Steering Committee”), which is composed of the Company’s CFO, General Counsel, and CIO. The Steering Committee drives awareness, ownership and alignment across broad governance and risk stakeholder groups for effective cybersecurity risk management and reporting.
The Company’s management maintains and implements a written Incident Response Plan, which is reviewed and updated on an annual basis and includes an Incident Response Plan Executive Committee consisting of the Company’s CIO, CISO, and General Counsel. In addition, members of the CISO’s and CIO’s teams monitor the Company’s systems and processes and promptly report incidents as required under the Incident Response Plan, including, but not limited to, reporting to the appropriate members of management and, as needed, the Audit Committee.
The Incident Response Plan has been developed to align with the four phases for the security handling lifecycle set forth in the National Institute for Standards and Technology Special Publication 800-61: (1) Preparation, (2) Detection & Analysis, (3) Containment Eradication & Recovery, and (4) Post-Incident Activity.