PVH CORP. /DE/ - (PVH)
10-K Filing Date: April 02, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Cybersecurity is a critical priority within, and has been integrated into, our enterprise risk management framework. We have instituted a risk-based, multi-dimensional global cybersecurity program, guided by the framework established by NIST (National Institute of Standards and Technology). This program aims to assess, identify, and manage risks from potential threats to our data, systems and networks, as well as those of our primary third-party suppliers. We have deployed a suite of physical, administrative and technological safeguards to protect our information systems, encompassing personal data (associate, consumer, customer and business partner), intellectual property and confidential business information. These protections are designed to maintain the confidentiality, integrity and availability of all information housed within our network infrastructure.
Our key cybersecurity processes within our program include the following:
Risk-based Controls for Information and Systems – We strive to secure our information technology infrastructure and data by implementing, maintaining and executing controls and continuously improving our cybersecurity program's maturity, risk management framework, policies, procedures and governance.
Incident Response Plan and Testing – We have a cybersecurity incident response plan and dedicated teams to respond to incidents. Cross-functional teams assess priority and severity, and external experts, including legal counsel, may be consulted. Our cybersecurity teams respond to incidents based on severity levels and improve our plan through regular table top breach exercises, penetration tests and simulations.
Education & Interactive Training – We provide cybersecurity training to associates, which includes monthly phishing exercises, to help them protect sensitive information and follow best practices. We offer role-based training for regulatory compliance and work with external partners to develop and deliver education and training to mitigate cybersecurity risks. We continually evaluate trends within the industry, apply necessary controls and empower our leadership to make informed, risk-based decisions.
Third-Party Risk Management – We execute targeted cybersecurity assessments of suppliers, evaluating their risk profiles and using a rating mechanism to identify vulnerabilities. We also partner with primary suppliers to implement advanced
27
security measures to safeguard their information technology systems and have data security provisions in our contracts with third parties that handle our data.
Threat and Vulnerability Management – We, along with our external partners, use resources, technology, and processes to identify, remediate, and report security threats in our systems. These controls are crucial to minimize our attack surface and prioritize possible threats.
Cybersecurity and Compliance Assessment Practices – We conduct regular cybersecurity assessments with independent firms and annual evaluations for compliance with Payment Card Industry – Data Security Standards (PCI DSS) and benchmark maturity assessments aligned with the NIST Cybersecurity Framework. Our Internal Audit department evaluates our information security program through annual information security and cybersecurity audits. We also perform internal controls testing as Section 404 of the Sarbanes-Oxley Act mandates.
As of the date of this report, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. For a discussion of related risks, please see our Information Technology risk factor “We rely significantly on information technology. Our business and reputation could be adversely impacted if our computer systems, or systems of our business partners and service providers, are disrupted or cease to operate effectively or if we or they are subject to a data security or privacy breach” in Item 1A. Risk Factors of this report.
Governance
Board of Directors
The Board of Directors oversees the management of risks related to the operation of our business. As part of its oversight, the Board receives periodic reports (no less often than annually) from members of senior management on various aspects of risk, including, among other things, our enterprise risk management program, business continuity planning, and cybersecurity. The Audit & Risk Management Committee of the Board of Directors has principal Board-level responsibility for reviewing and assessing our significant risks, including cybersecurity risks, and management’s program to assess, monitor, and manage such exposures, and can raise any significant issues pertaining to these items with the full Board of Directors at each Board meeting. As part of this role, the Committee receives updates at most meetings from the Chief Information Security Officer (CISO) on various cybersecurity matters, including material risks and threat trends, mitigation strategies, security incidents, the status of priorities and initiatives, and other related matters of importance, as well as an annual in-depth review of cybersecurity strategy and initiatives for the coming year. The Committee also reviews the results of the independent cybersecurity assessments and compliance evaluations discussed above. In addition to these regular updates, the Committee and the full Board of Directors would also be promptly informed by the Chief Executive Officer of any cybersecurity incidents should they occur, as well as provided ongoing updates from lead members of the incident response teams, including the CISO, regarding any such incidents in accordance with our incident response plan.
Management
The CISO reports to the Chief Technology and Information Officer and leads our Information Security Group, a global function that spans our organization and is responsible for executing against our global cybersecurity program. The CISO is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents through our key cybersecurity processes, discussed above, and, together with other lead members of the incident response teams, is responsible for informing senior leadership across the organization about any cybersecurity incidents that may occur. Our CISO has over 25 years of experience managing and leading information technology and cybersecurity teams and participates in various industry and public sector cybersecurity groups.
28