ABERCROMBIE & FITCH CO /DE/ - (ANF)

10-K Filing Date: April 01, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

The Company has established an information security program and related processes for assessing, identifying, and managing material risks from cybersecurity threats to the Company, including governance at the executive and Board level of the Company’s cyber risk management strategy and the controls designed to protect its operations. The Company’s information security program is established at the executive level, with regular reporting to, and oversight by, the Company’s Board of Directors (the “Board”) as described below. At the highest level, the Company’s program includes multi-layered governance by management, the Audit and Finance Committee of the Board and the Board, as described in greater detail below.

The Company’s policies and procedures identify how cybersecurity measures and controls are developed, implemented, and regularly reviewed and updated. The Company implements and maintains a set of controls to manage information risk, establishes guidelines for the use of information technology, and defines standards for identifying and mitigating information risks, considering controls from multiple security frameworks, such as the Center for Internet Security’s Critical Security Control and the Payment Card Industry Data Security Standard. The Company, internally and through third parties, conducts multiple information risk assessments each year. Risks identified in such assessments are considered for inclusion in the Company’s information risk portfolio and are then prioritized and addressed where appropriate through the Company’s broader information security programs. Assessments along with risk-based analysis and judgment are used by the Company to determine what the Company believes to be the optimal way to manage these risks.

In addition, the Company’s Incident Response Plan (“IRP”) provides an outline for the Company on how to identify and address a significant cybersecurity incident. The IRP includes certain steps to be taken by the Information Security team to, among other things, assess the severity of an incident, determine the appropriate escalation, and mitigate or remediate the incident. The IRP is intended to serve as a framework to aid the Information Security team and other corporate functions in coordinating the Company’s response to an incident in order to minimize the impact on the Company’s business and operations, as well as the affected parties.

The Company also conducts cybersecurity exercises and training. For example, certain corporate associates and management-level associates in our stores and distribution centers must complete cybersecurity training on an at least annual basis, which educates the associates on the Company’s policies and procedures for the handling of customer and employee personal data, incident reporting, and avoiding common cybersecurity threats such as phishing attacks. In addition, targeted training for corporate associates occurs throughout the year, and regular audiences include associates on the Company’s marketing, data analytics, and user experience teams. The Company’s management holds annual executive data incident tabletop exercises and the information security team holds more frequent technical tabletop exercises.

The Company leverages third-party security firms in different capacities to implement or operate various aspects of the Company’s information security program, including to conduct risk assessments and penetration testing. The Company uses a variety of processes to address cybersecurity threats related to the use of third-party technology and services, such as conducting risk assessments of third-party vendors where the Company has determined it to be appropriate.

The Company (or the third parties on which it relies) may not be able to fully, continuously, and effectively implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine the security controls to implement and it is possible we may not implement sufficient controls if we do not recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only partially mitigate and not fully eliminate risks. Events, when detected by security tools or third parties, may not always be immediately understood or acted upon.

Board Governance and Management

Cybersecurity risk is managed as an enterprise risk in the Company’s enterprise risk management process. Responsibility for risk oversight and management generally lies with the Company’s Board. To effectively manage oversight of our cybersecurity risk management practices, since 2019 the Board has delegated such responsibility to the Company’s Audit and Finance Committee. The Company’s Chief Information Security Officer (“CISO”) and the Information Security team provide reports to either the Audit and Finance Committee or the Board on a quarterly basis on various matters, such as current and emerging cybersecurity risks to the Company, risks and incidents that were escalated to management during the prior quarter (including those that did not require immediate escalation to the Audit and Finance Committee and/or full Board), internal and external assessments of the Company’s information security program, and a roadmap of projects and major initiatives to manage its information security posture.

At the executive and management level, the CISO has primary responsibility for the architecture, implementation, and management of the Company’s information security program. The CISO has approximately two decades of experience in technology risk management, including over a decade with the Company, and has passed examinations and received certifications as a SANS Global Information Security Leader and a Certified Information Systems Auditor. The CISO reports
Abercrombie & Fitch Co.
26
2023 Form 10-K

directly to the Company’s Chief Digital and Technology Officer. The Company’s Information Security team, under the direction of the CISO, implements and provides governance and functional oversight for cybersecurity controls and services. Information Security processes include escalation of certain risks and incidents, including those that originate or occur at third parties, to the CISO and the executive team as appropriate based on the severity or potential severity. In addition, regular updates from the Information Security team, in conjunction with real-time escalation on an as-needed basis, are also used to assess the risk landscape and adjust the Company’s strategy and roadmap to address such risk.

Although the risks from cybersecurity threats have not materially affected our business strategy, results of operations, or financial condition to date, they may in the future and we continue to closely monitor cyber risk. See ITEM 1A. RISK FACTORS for additional information regarding the Company’s cybersecurity risks and which should be read in conjunction with this Item 1C.