WOLVERINE WORLD WIDE INC /DE/ - (WWW)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
The Company maintains a cybersecurity program guided by the ISO 27001 information security standard for information security management systems that is reasonably designed to protect its information, and that of its customers, against cybersecurity threats that may result in material adverse effects on the confidentiality, integrity, and availability of its information systems.
Internal Cybersecurity Team and Governance
Board of Directors
The Company’s Board, in coordination with the Audit Committee, oversees the Company’s enterprise risk management process, including the management of risks arising from cybersecurity threats. The Board has delegated the primary responsibility to oversee cybersecurity matters to the Audit Committee. The Audit Committee regularly reviews the measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. As part of such reviews, the Audit Committee receives quarterly reports and presentations from members of the Company’s team responsible for overseeing the Company’s cybersecurity risk management, including the Chief Information Security Officer (CISO), Chief Information Officer (CIO), and members of the legal team, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties. The other members of the Board attend these quarterly reports and presentations to the Audit Committee by members of management. The Company has protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated within the Company and, where appropriate, reported promptly to the Board and Audit Committee, as well as ongoing updates regarding any such incident until it has been addressed.
21


Management
At the management level, the CISO, who has extensive cybersecurity knowledge and skills gained from over 16 years of work experience at the Company and elsewhere, heads the cross-functional team responsible for implementing, monitoring, and maintaining cybersecurity and data protection practices across the business and reports directly to the CIO, who reports directly to the Chief Executive Officer. The CISO receives reports on cybersecurity threats from a number of experienced information security team members, each of whom is responsible for various parts of the business on an ongoing basis and, in conjunction with management, regularly reviews risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. The CISO works closely with the legal team to oversee compliance with legal, regulatory and contractual security requirements.
Internal Cybersecurity Team
The Internal Cybersecurity Team, led by the CISO, is responsible for the implementation, monitoring, and maintenance of the cybersecurity and data protection practices across the Company. The CISO is supported by experienced information security team members, each of whom is supported by a team of trained cybersecurity professionals. The individuals who report directly to the CISO include the Director of Cyber Security, who oversees the cybersecurity engineers, security operations center, and identity & access management team, and the Privacy and Compliance Manager, who oversees the global privacy and compliance analysts.
In addition to internal cybersecurity capabilities, the Company also at times engages consultants or specialists to assist with assessing, identifying, and managing cybersecurity risks.
Risk Management and Strategy
The Company employs systems and processes designed to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems the Company uses.
The Company maintains a Privacy Policy that describes the personal information that it collects about its customers, including how the Company may use such information and when it shares such information with third parties.
The Company conducts annual cyber-risk mitigation exercises including awareness outreach, annual IT Security Awareness training, monthly phishing tests, and a variety of ongoing vulnerability scans. Over the past two years, the Company has implemented multiple new security tools designed to provide visibility and controls allowing the cybersecurity team to safeguard data against theft or loss.
The Company maintains various role-based access controls to safeguard data and systems. Data center assets are protected and monitored by badged key systems and video surveillance. Access is periodically reviewed and updated.
In addition, an external consultant in conjunction with the Company conducted a cybersecurity gap assessment in November 2023 to review and confirm that the Company has appropriate measures in place to assess, identify and manage cybersecurity risks, and the Company is implementing the recommendations made as a result of the gap assessment.
The cybersecurity, legal, and Executive Leadership teams also participated in a data security incident tabletop exercise in December 2023 to simulate responses to a ransomware attack and use the findings to improve the Company’s processes and technologies.
The Company maintains cybersecurity insurance coverage to help defray any financial losses suffered by the Company in the event of an information security breach. The Company's insurance coverage may not cover all cybersecurity incidents the Company experiences or all losses the Company incurs as a result.
Incident Response
The Company has adopted an Incident Response Plan (the “IRP”) that provides a standardized framework for responding to security incidents. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. The IRP applies to all Company personnel (including third-party contractors, vendors and partners) that perform functions or services that require access to secure Company information, and to all devices and network services that are owned or managed by the Company.
Material Cybersecurity Risks, Threats & Incidents
22


The Company relies on information technology and third party vendors to support its operations, including its secure processing of personal, confidential, sensitive, proprietary and other types of information. The Company and its vendors may not be able to protect all of their respective information systems, and such incidents may lead to reputational harm, revenue and client loss, legal actions, statutory penalties, among other consequences. Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations or financial condition. While the Company has not experienced any material cybersecurity incidents, there can be no guarantee that it will not be the subject of future successful attacks, threats or incidents.