BUCKLE INC - (BKE)
10-K Filing Date: April 03, 2024
ITEM 1C - CYBERSECURITY
Cybersecurity Risk Management and Strategy
Buckle is committed to earning and maintaining the trust of its guests, teammates, vendors, and shareholders. This commitment, as it relates to technology and data, requires a focus on protecting business operations and preserving the confidentiality, integrity, and availability of information by preventing, identifying, and mitigating cybersecurity threats and effectively responding to any security incidents when they occur. The Company’s commitment to cybersecurity is integral to its business strategy, operational integrity, and brand reputation.
Leading the Company’s cybersecurity risk management and strategy at the management level is our Senior Director of Information Security, who reports directly to the Vice President of Information Technology. The Senior Director of Information Security has been with the Company for over 18 years, serving in various capacities with deep understanding of the underlying architecture, technologies, and systems utilized by the Company. The Senior Director of Information Security and his team are responsible for designing and implementing the Company’s strategies, policies, and processes to assess, identify, and manage risk related to cybersecurity threats, along with threats associated with our use of third-party service providers. A combination of industry-leading tools, relationships with external experts, in-house expertise, and in-house technologies are integral to the Company’s strategy for managing cybersecurity threats. The Company executes ongoing assessment and testing of processes and practices through regular teammate training, phishing exercises, network and endpoint monitoring, penetration testing, vulnerability scanning, and attack simulations. The Company’s incident response plan is based on recognized industry best practice security standards and control frameworks, such as the National Institute of Standards and Technology Cybersecurity (“NIST”) Framework. Third parties are also engaged to perform assessments and validate the Company’s cybersecurity measures, including information security maturity assessments and independent reviews of the operating effectiveness of the information security control environment.
Cybersecurity Governance
While the Board of Directors is ultimately accountable for risk management, the Audit Committee oversees management’s processes for identifying, implementing, and mitigating cybersecurity threats. On at least a quarterly basis, the Senior Director of Information Security provides the Audit Committee with updates regarding the Company’s ongoing cybersecurity program. These updates regularly cover the latest in the Company’s evolving approach to managing cybersecurity risks, reviewing key metrics on the effectiveness of the program, and discussing recent developments, key strategic initiatives, the current threat environment, and outcomes from specific evaluations and tests.
Cybersecurity Monitoring and Mitigation
In addition to the ongoing cybersecurity program management carried out by the Senior Director of Information Security, the Company also has the Buckle Incident Response Team (“BIRT”), a cross-functional group with relevant expertise and authority to support all aspects of the incident response, recovery, and reporting of a security incident. BIRT uses a well-defined incident response plan that outlines processes to prepare for and detect cybersecurity threats, analyze the severity, materiality, and impacts, determine who should be notified and involved in the Company’s response, and define actions necessary to contain and recover in the event of an incident. As part of this process, cybersecurity incidents surpassing a certain level of severity necessitate communications to the Board of Directors. On an annual basis, the Company performs tabletop exercises designed to enhance BIRT’s readiness and effectiveness in handling cybersecurity incidents.
To mitigate the financial impact of potential cybersecurity incidents, the Company maintains comprehensive cyber insurance coverage. This coverage is reviewed annually to ensure it aligns with the Company’s risk profile and the evolving cyber threat landscape. In addition to covering losses associated with an incident, this insurance coverage also provides for additional access to third-party resources and expertise to augment Buckle resources should a cyber incident occur.
Although the Company has combatted cybersecurity threats in the normal course of business, these threats have not materially affected its operations, business strategy, results of operations, or financial condition. While the Company strives to implement best-in-class cybersecurity measures, it recognizes that the threat landscape is continually evolving. Future attacks, if not successfully prevented or mitigated, could materially affect the Company, including its operations, business strategy, results of operations, or financial condition. See Item 1A, Risk Factors, of this Annual Report on Form 10-K for additional information.
16