Crocs, Inc. - (CROX)

10-K Filing Date: February 15, 2024
ITEM 1C. Cybersecurity

We maintain a Cybersecurity Incident Response Plan that is an important component of our Cybersecurity Risk Management Program, which then integrates into our Enterprise Risk Management (“ERM”) Program. Our Cybersecurity Incident Response Plan is designed to facilitate a timely, consistent, and compliant response to actual or attempted cybersecurity incidents impacting the Company. The Cybersecurity Incident Response Plan is built on a framework that is aligned with publication 800-61 of the National Institute of Standards and Technology and is tailored to our people, processes, and technology. Cybersecurity Incident Response Plan phases include (1) preparation, (2) detection and analysis, which includes processes to assess the materiality of cybersecurity incidents and make timely reports, (3) containment, eradication, and recovery, and (4) post-incident activity. The Cybersecurity Incident Response Plan also defines the objectives, roles and responsibilities, and scope of our incident response program.

We maintain a formal information security training program for all employees that includes training on matters such as security awareness, phishing, and email security best practices. Employees are also required to complete compulsory training on compliance and data privacy.

We engage with third party assessors, consultants, and auditors to test our cybersecurity maturity and to drive continuous monitoring and improvements. The engagement includes having independent third parties perform compliance, technical, and maturity assessments, such as (1) attack surface assessment, (2) penetration testing assessment, and (3) cybersecurity maturity assessments. We also annually engage third parties and our internal audit department to assess our information security programs, whose findings are reported to the Audit Committee of the Board.

We rely on our information technology (“IT”) systems and networks in connection with our business activities. Some of these networks and systems are managed by third-party service providers and are not under our direct control. We have implemented processes to manage the cybersecurity risks associated with our use of third-party service providers through our vendor risk management program and an application governance policy.

Despite the security measures we have implemented, certain cyber incidents could materially disrupt operational systems. If our IT resources are compromised by an intentional attack and results in loss of trade secrets or other proprietary or competitively sensitive information; compromise personally identifiable information regarding customers or employees; delay our ability to deliver products to customers; jeopardize the security of our facilities; or cause other damage. Although the risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition, such incidents could have a material adverse effect in the future as cyberattacks continue to increase in frequency and sophistication. We continuously seek to maintain a robust program of information security and controls, but the impact of a material cybersecurity incident could have an adverse effect on our competitive position, reputation, results of operations, financial condition, and cash flows. Additionally, while we have a cybersecurity program designed to protect and preserve the confidentiality, integrity, and availability of our information systems, we also maintain cybersecurity insurance to manage potential liabilities resulting from specific cyber-attacks. Although we maintain cybersecurity insurance, there can be no guarantee that our insurer(s) will cover specific claims, pay the full costs of an incident, or provide payment in a timely manner.

For more information, please see “Item 1A – Risk Factors – Risks Specific to Our Company and Strategy-Our business relies significantly on the use of information technology. A significant disruption to our operational technology or those of our business partners, a privacy law violation, or a data security breach could harm our reputation and/or our ability to effectively operate our business, and our financial results.”

27



The Audit Committee of the Board is responsible for monitoring and overseeing risk management from cybersecurity threats. In accordance with the Audit Committee’s charter, the Audit Committee is responsible for oversight of our ERM program, which includes cyber risk management. It is the Audit Committee’s responsibility to review and discuss with management the adequacy and effectiveness of our cybersecurity policies and the internal controls regarding cybersecurity and privacy related areas. To satisfy this responsibility, the Audit Committee receives periodic updates from management regarding our cybersecurity program. The updates may include information on, among other things, actual events or incidents, results of vulnerability assessments and penetration testing, results of security incident and event management monitoring, updates to the cybersecurity strategy and program, new or modified security policy recommendations, and cybersecurity risk in general. On at least an annual basis, management presents to the Audit Committee on cybersecurity strategy and framework, roadmaps for continued program maturity, key risk areas and related actions, and any significant incidents that have occurred or are reasonably likely to occur. The entire Board is invited to attend this annual cybersecurity meeting of the Audit Committee.

Our Executive Leadership Team is responsible for managing enterprise risk, which is inclusive of cybersecurity. The Chief Information Officer (“CIO”), a member of the Executive Leadership Team, and the Chief Information Security Officer (“CISO”), who reports to the CIO, are responsible for assessing and managing cybersecurity risk, including the prevention, detection, mitigation, and remediation of cybersecurity incidents. The CIO has over 30 years of experience in Information Technology and Operations including executive-level experience within the consumer goods industry. The CISO possesses relevant expertise in cybersecurity, including 25 years in both IT and cybersecurity.

The cybersecurity team reports to the CISO and has responsibility to prevent, mitigate, detect, and remediate cybersecurity incidents through various processes. These processes include regular vulnerability assessments and penetration testing, security incident and event management, continuous monitoring, and threat intelligence gathering. Additionally, we employ several third parties with expertise in specific cybersecurity risk areas. These third parties report to the CISO, who actively engages with these third parties to monitor their activities and compliance with service level agreements. Through these activities and monitoring, both internally and externally, any events or incidents identified will be escalated to the Board in accordance with our formal Cybersecurity Incident Response Plan.