YETI Holdings, Inc. - (YETI)
10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We operate a risk-based cybersecurity program dedicated to protecting the confidentiality, integrity and availability of our information systems and the information residing therein.
YETI’s cybersecurity program has been integrated into our enterprise risk framework, which identifies, aggregates, and evaluates risks across the enterprise. The enterprise risk framework is integrated with our annual planning, internal audit scoping, and management process. Our internal audit team annually facilitates an enterprise risk assessment with senior management and, through this process, we identify and assess material risks impacting our company and our operations and strategic objectives, which includes information technology and security risks. Management and the Board rank YETI’s risks based on their potential impact to YETI’s ability to meet our strategic priorities. Management determines appropriate risk responses for each identified enterprise risk. Outside of this annual process, management is responsible for our day-to-day risk management activities.
Our Information Technology team (which includes our Director of Cybersecurity) and our Technology Compliance team (which includes our Director of Technology Compliance) have primary responsibility for the implementation of our cybersecurity program and the management of our responses to information technology and security risks, including risks related to cybersecurity threats. Our cybersecurity program has been developed based on industry standards, including those published by the International Organization for Standardization and the National Institute of Standards Technology.
We utilize a layered approach in managing and protecting against cybersecurity threats and in detecting and responding to cybersecurity incidents. Although we have numerous practices and processes to protect against common cybersecurity incidents, some attacks or other breaches may still be effective. Such practices and processes are designed to detect, triage and contain these cybersecurity incidents. These controls include:
•Identification: In addition to technology-based detection capabilities, there are numerous ways employees can report suspected or actual events, including through our internal information technology ticketing system, by emailing the cybersecurity or privacy team emails, or by submitting a report through the compliance hotline. External parties can also report a vulnerability through the link in the footer of our website.
•Technical Safeguards: We leverage outside partnerships to gain intelligence on threats and continue to adjust our protection mechanisms (including firewalls, anti-malware functionality and access controls) to be effective. We have systems in place that are designed to securely receive and store information and to detect, contain, and respond to data security incidents.
•Incident Response: We maintain a comprehensive incident response plan to guide our response to a cybersecurity incident. Events are analyzed and categorized into one of four severity tiers and an incident response team is formed (whose membership depends on the nature of the incident). In addition to taking actions to respond to and remediate the incident, the incident response team also considers external notification and disclosure obligations. The incident response plan provides for prompt escalation of certain cybersecurity incidents to a multi-disciplinary committee so that decisions regarding the public disclosure of such incidents can be made in a timely manner.
•Testing: We engage in periodic assessment and testing of our policies, processes, and practices that are designed to address cybersecurity threats and incidents. For example, we hire a third party to perform an annual penetration test on our website, internal network, and cloud environments. Our other efforts vary from year to year, but have in the past included an information security maturity assessment, risk assessment, tabletop exercises, and threat modeling. The results of such efforts are reported to the Audit Committee of the Board (the “Audit Committee”) and the Board, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by the assessment, exercise or review.
•Education and Awareness: We have a cybersecurity and information security training and compliance program in place to support our employees and directors. As part of this program YETI employees are subject to reoccurring phishing exercises. The results of these exercises are used to inform the subject matter and frequency of additional training modules that employees are required to complete. In addition, employees annually receive training on data privacy and information security, including cybersecurity. YETI also maintains a number of policies that apply to employees and contractors, including a Global Internal Data Protection and Privacy Policy, an Acceptable Use Policy, and a Password Policy.
31
•Insurance: YETI also maintains a cybersecurity and information security risk insurance policy.
•Third Parties: YETI has processes in place to oversee and identify risks from cybersecurity threats associated with third-party vendors. Such processes vary based on factors such as the type of vendor, whether the relationship will implicate our technology, and the type of data involved, if any.
To date, we do not believe that known risks from cybersecurity threats, including as a result of any previous cybersecurity incidents that we are aware of, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, we can give no assurance that we have detected all cybersecurity incidents or cybersecurity threats. Please refer to the risk factor titled “We rely significantly on information technology, and any compromise or interruption of that technology resulting from cybersecurity incidents, data security breaches, design defects or system failures could have a material negative impact on our business” in Part I, Item 1A of this Report for additional information about the risks associated with cybersecurity threats.
Governance
As part of its oversight function, the Board plays an active role, both as a whole and at the committee level, in overseeing management of YETI’s cybersecurity risks. The Audit Committee has primary oversight responsibility for our overall enterprise risk assessment and risk management policies and systems, which includes risks related to our information technology and security systems, processes, and procedures, including risks related to cybersecurity threats. The Audit Committee receives quarterly presentations regarding our enterprise risk management program, including reports from our Director of Cybersecurity, on information security matters (such as cybersecurity risk and developments), as well as the steps management takes to monitor and control such exposures. These presentations address, among other things, the results of the most recent assessment or testing of our security information systems and our cybersecurity measures; the current threat environment; and cybersecurity trends and best practices. As applicable, these quarterly presentations also include reports of cybersecurity incidents affecting our information systems along with updates on the status of prior cybersecurity incidents and applicable remediation efforts. Such quarterly presentations given to the Audit Committee are summarized and shared with the Board at its next meeting by the Audit Committee Chair. Outside of such quarterly presentations, senior leadership would be expected to update the Audit Committee and the Board in real time of incidents deemed material and requiring disclosure in a Securities and Exchange Commission filing or of other “critical” or “high” severity incidents (the highest severity tiers under our incident response plan) that in senior leadership’s discretion require more immediate Audit Committee attention. In addition, the internal audit team provides quarterly cybersecurity updates to either the Audit Committee or the full Board regarding our risk analyses, assessments, risk mitigation strategies, and activities.
As described above, management is responsible for our day-to-day risk management activities and identifies and manages areas of material risk, which includes information technology and security. Our Chief Financial Officer oversees our Information Technology team, which includes the Director, Cybersecurity. Our Chief Legal Officer oversees our Compliance team, which includes our Director, Technology Compliance. We believe that such cross-departmental involvement promotes a collaborative approach to protecting the Company’s information systems from cybersecurity threats, detecting cybersecurity incidents and responding to cybersecurity incidents in accordance with our incident response plan. Through the practices and policies described above, including our incident response plan, our Director, Cybersecurity and Director, Technology Compliance are informed about cybersecurity threats and incidents affecting our information systems and lead the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents in real time. Incidents deemed “critical” or “high” are immediately escalated to the Chief Financial Officer, Chief Legal Officer, other senior leadership, and the Audit Committee.
The Director, Cybersecurity has served in various roles in information technology and information security for over 24 years. Prior to joining YETI, he was a principal information security engineer for a global information technology consulting company. The Director, Cybersecurity holds an undergraduate degree in information technology, a master’s degree in information systems and technology management and has attained the professional certifications of Certified Information Systems Security Professional and Certified Information Systems Auditor. The Director, Technology Compliance has served in various roles in information technology for 11 years, including as a compliance manager for a large software company and information technology consultant for a major consulting firm. The Director, Technology Compliance holds an undergraduate degree in accounting and a master’s degree in management information systems and has attained the professional certifications of Certified Information Systems Auditor. Our Chief Legal Officer has over 13 years of experience managing risks, including risks arising from cybersecurity threats, in an officer capacity. Our Chief Financial Officer has 20 years of experience managing risks at large companies.
32