CALERES INC - (CAL)

10-K Filing Date: April 02, 2024
ITEM 1CCYBERSECURITY

Risk Management and Strategy

We are committed to protecting our customer and employee data. We employ a defense-in-depth cybersecurity strategy leveraging industry frameworks that feature a prioritized set of robust controls that encompass people, processes and technologies. Our Chief Information Officer (“CIO”) is responsible for the execution of our cybersecurity strategy. Our CIO has over 25 years of retail industry experience developing and implementing information technology strategies and leading cybersecurity programs. The CIO is supported by a team of highly qualified professionals, many of which hold cybersecurity certifications.

The Company’s cybersecurity policies, standards and processes are integrated into the Company’s overall risk management program, and cybersecurity risks are regularly evaluated in the context of material risks to the Company. We regularly engage with outside experts to assess the maturity of our organizational security program and to inform our short- and long-term cybersecurity strategy.

We routinely test and improve our information systems through security and risk and compliance reviews and user education campaigns and other strategies. We also subscribe to various threat intelligence feeds and are active in the information security community.

We maintain an Information Security Policy, which details the acceptable processes and practices our associates must follow to protect the interests of the Company, our customers and other parties. Key components of the Information Security Program include:

Acknowledgement of the Information Security Policy upon hire and annually thereafter;
Access controls, including identification, authentication, logging and authorization;
Endpoint detection and response;
Data classification and labeling;
Privileged Identity Management
Security Awareness training and a Cybersecurity Ambassador Program; and

21

A Cybersecurity Incident Response Plan, including procedures for responding to cybersecurity incidents and a framework for evaluating the materiality of the incident for disclosure and reporting purposes.

Governance

The Audit Committee of our Board of Directors is responsible for oversight of our cybersecurity program. In addition, the Technology and Digital Commerce Committee, which was established in 2022, assists the Board of Directors with its oversight responsibilities regarding the role of technology, data, digital commerce and the Company’s ability to understand and connect with its consumers in executing the Company’s strategies, business plans and operational requirements.

On a quarterly basis, our CIO updates the Audit Committee on the Company’s cybersecurity program, including, among other items, actual events or incidents, results of vulnerability assessments and penetration testing.

We continue to invest in cybersecurity and adapt our internal controls and processes to respond to cybersecurity risks. Cybersecurity threats, including those as a result of any previous cybersecurity incidents, have not materially affected our business strategy, results of operations or financial condition. For a discussion of how cybersecurity risks have affected or are reasonably likely to materially affect the Company, refer to Item 1A, Risk Factors.