LANDS' END, INC. - (LE)

10-K Filing Date: April 03, 2024
ITEM 1C. CYBERSECURITY

We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program includes a data security incident response policy and a security incident response plan, which were first developed in 2017 and are periodically reviewed and updated.

We have designed and assessed our program based on the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”). This does not imply that we meet any particular technical standards, specifications, or requirements, rather only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.

Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to our legal, compliance, strategic, operational, and financial risk areas.

Our cybersecurity risk management program includes:

a data security incident response policy and a security incident response plan that include detailed procedures for responding to cybersecurity incidents, determining severity of cybersecurity incidents and notifying appropriate internal and external parties;
third-party and internal risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology environment;
a security team consisting of members of our information technology department, principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;
periodic tabletop exercises involving the security team, the data security incident management team, and members of management, with special sessions expected to occur for the Board of Directors;
annual audit by a Payment Card Industry (“PCI”) qualified security risk assessor to validate our PCI compliance;
the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
regular cybersecurity awareness training, including social engineering and phishing testing of our employees, incident response personnel, and senior management;
deployment of external tools designed to detect and protect against spam, malware and other cybersecurity threats and train personnel; and
third-party security event monitoring.

There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be adequate, fully complied with or effective in protecting our systems and information.

We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors – RISKS RELATED TO INFORMATION TECHNOLOGY, CYBERSECURITY AND DATA PRIVACY.”

24

 

Cybersecurity Governance

Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of data protection and cybersecurity risks as part of the Audit Committee’s oversight of the Company’s enterprise risk management framework. The Audit Committee regularly reports to the full Board regarding its activities, including those related to cybersecurity.

The Audit Committee receives regular reports from management on our cybersecurity risks, which include updates on trends and threats, the Company’s backup and response systems, internal and external risk assessments, results of PCI and other security audits, and planned updates and upgrades. The Audit Committee also receives regular enterprise risk management updates, which include management of cybersecurity risks.

In accordance with our data security incident response plan, management is required to promptly update and discuss with the Audit Committee any material or potentially material cybersecurity incidents and provide an update to the Board upon determination. Management regularly updates the Audit Committee regarding incidents with lesser impact potential.

Our management team, including our Chief Financial Officer, Chief Technology Officer and General Counsel (the cybersecurity disclosure committee), is responsible for assessing material risks from cybersecurity threats and our General Counsel oversees any required reporting obligations and notifications. Our Chief Technology Officer has primary responsibility for overseeing our security incident response plan, including identification and initial assessment of threat levels and escalations. Critical incidents are escalated to a cross functional data security incident management team for review, which then escalates potentially material incidents and threats to the cybersecurity disclosure committee for determinations of materiality and Audit Committee and Board communications. Our Chief Technology Officer has 20 years of experience with cybersecurity management response, and multiple direct reports who have 10 or more years of experience leading technology infrastructure and security incident response. Our General Counsel has over seven years of experience leading our incident response management team.

Our Chief Technology Officer is the primary point of responsibility for cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the information technology environment.

25

 

Back SEC Filing