National Vision Holdings, Inc. - (EYE)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have developed processes for assessing, identifying and managing material risks from cybersecurity threats. Our enterprise risk assessment and management system incorporates risks from cybersecurity threats alongside other risks to the Company. We also have a management level risk management council that supports our processes to assess and manage cybersecurity and other risks. Our information security team oversees and implements security controls designed to minimize the risk or impact of any breach or unauthorized disclosure of our confidential and sensitive data, including protected health and personal information. These controls include endpoint protection and response software (anti-virus), network intrusion detection devices, a vulnerability management program, IT and third-party risk management programs, and multifactor authentication. We provide annual security awareness training for corporate and store associates, and we administer periodic phishing testing and training to associates
41
who have access to a company email address. The security of the National Vision network is monitored by a Security Operations Center (“SOC”), which works with our information security team with the aim of preventing realization of attacks by threat actors. We also maintain an incident response plan which, among other things, is designed to mitigate the impact of an incident, assist in restoring normal business operations, comply with applicable regulatory obligations arising from an incident and prevent similar future incidents. Our risk management processes also address cybersecurity threat risks associated with our use of third-party service providers. Our Chief Technology Officer (“CTO”) collaborates with our information security and legal teams to conduct periodic table-top exercises and testing of our data security and incident response procedures. Periodically, we engage specialized third parties to conduct exercises that stress test our data security systems and practice company-wide response tactics. We also conduct third-party HIPAA risk assessments to identify and catalog potential risks to health data.
As of the date of this report, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, as discussed under “Item 1A. Risk Factors – We rely heavily on our information technology systems, as well as those of our vendors, for our business to effectively operate and to safeguard confidential information; any significant failure, inadequacy, interruption or security breach could adversely affect our business, financial condition and operations,” the sophistication of cyber threats continues to increase, and the actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient. As such, no matter how well our controls are designed or implemented, we cannot assure that we will be able to anticipate all security breaches, and we may not be able to implement effective preventive measures against such security breaches in a timely manner.
Governance
Our CTO oversees our approach to cybersecurity and is responsible for assessing and managing our material risks from cybersecurity threats. Our CTO has served in this role at the Company since 2020, and has more than 25 years of experience in the aggregate in various senior roles involving managing global information technology and security teams spanning strategy, implementation, operations and compliance. The Vice President of Information Technology Infrastructure collaborates with the CTO and a supporting team to maintain and update the Company’s technology infrastructure and corresponding safety measures. Our VP of Information Technology Infrastructure has served in this role at the Company for over six years, has over 25 years of experience in information technology systems and holds a bachelor of science degree in computer information systems.
Our CTO is informed about, and monitors the prevention, detection, mitigation and remediation of, cybersecurity incidents through the management of and participation in the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. When a cybersecurity incident occurs or we identify a vulnerability, we have cross-functional teams that are responsible for leading the initial assessment of priority and severity, and external experts may also be engaged as appropriate.
The audit committee of our Board oversees our enterprise risk management process, which includes risks from cybersecurity threats. The audit committee regularly receives reports from management with respect to risks from cybersecurity threats and quarterly reviews cybersecurity and data security risks and mitigation strategies, along with program assessments, planned improvements and the status of information technology initiatives with the CTO. These risks and mitigation strategies are also periodically reviewed by the entire Board.
42