Childrens Place, Inc. - (PLCE)
10-K Filing Date: May 04, 2024
ITEM 1C. CYBERSECURITY.
Risk Management and Strategy
We consider cybersecurity and privacy to be important issues affecting the enterprise both in terms of reputational risk and economic risk. To effectively assess, identify, and manage material risks from cybersecurity threats, we maintain a cybersecurity risk management program, which is led by our Chief Technology, Logistics & Stores Officer (“CTO”) and our Vice President, Information Security & IT Risk (“VP, IT”), as a part of the Company’s overall risk management and compliance programs. To keep pace with ever-evolving threats and industry best practices, we have made, and will continue to make, sizable investments in building and developing cybersecurity talent and expertise and implementing state-of-the-art systems and tools, to detect, identify, classify and mitigate cybersecurity and other data privacy risks within our environment. We employ benchmarking to understand best practices and industry trends. We conduct security and compliance assessments throughout each year to validate the efficacy of our programs and practices. We also engage an independent third party expert to assess our cybersecurity maturity periodically against the retail industry. The results of these assessments inform our cybersecurity development roadmap going forward and are presented to the Audit Committee and the Board of Directors. We also maintain cybersecurity insurance as part of our comprehensive insurance portfolio.
We believe that we employ appropriate standards, guidelines and best practices to manage cybersecurity-related risk and have implemented comprehensive controls consistent with the requirements of the International Organization for Standardization (“ISO”) and assess our cybersecurity maturity levels against the National Institute of Standards and Technology (“NIST”) framework, including, but not limited to, the following:
•Intrusion prevention controls (such as network segmentation and firewalls);
•Access controls (such as identity and access management and multi-factor authentication on critical applications and systems);
•Detection controls (such as endpoint threat detection and response, and logging and monitoring involving the use of a third-party for security information and event management, with reports and alerts provided by the third-party to the CTO’s team); and
•Threat protection controls (such as mandatory cyber-threat training and simulated phishing campaigns with employees, vendor management programs, and vulnerability and patch management).
In an effort to ensure that our associates are knowledgeable about our data security and protection policies, and to enable them to proficiently handle the threat of cyber-attacks, all associates are required to participate in a cybersecurity awareness training program annually. Financial, IT and other associates who have access to sensitive information are also required to attend additional training courses during the year. We also conduct frequent phishing simulations throughout the year to test our employees’ responses to suspicious emails and to better inform our cyber awareness training program.
We circulate cyber awareness materials on a periodic basis on our intranet and hold a “Cyber Awareness Month” each year to promote the importance of cybersecurity topics. In addition, members of senior management participate in periodic crisis management exercises with third-party experts on crisis management best practices to apply their learnings to the Company’s business continuity management program. In particular, in Fiscal 2023, the table-top exercise that was conducted for senior management focused on the handling of a cyber-security incident.
Because we are aware of the risks associated with third-party service providers, we also have implemented processes to oversee and manage these risks. We conduct security assessments of third-party providers before engagement and maintain ongoing monitoring to help ensure compliance with our cybersecurity standards. In addition, we perform periodic risk assessments of key vendors. This approach is designed to mitigate risks related to potential data breaches or other security incidents originating from or at third-party service providers.
We have experienced targeted and non-targeted cybersecurity attacks and incidents in the past, and we could in the future experience similar attacks. As of Fiscal 2023, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected us, our business strategy, results of operations or financial condition. For more information about the Company’s assessment of cybersecurity risks, see the risk factor titled “A privacy breach, through a cybersecurity incident or otherwise, or failure to comply with privacy laws could have a material adverse effect on our business” in Part I, Item 1A, “Risk Factors”.
We are committed to maintaining the trust we have established with our customers and associates. They expect that we will protect their personal information. Our comprehensive privacy program includes standards and practices focused on keeping data we collect secure and reflects our commitment to respecting privacy rights. Our Privacy Policy is available on our website and we continually assess and update this Policy to reflect industry best practices and applicable laws and regulations.
28
Governance
Our Board of Directors recognizes the important role of information security and mitigating cybersecurity and other data security threats, as part of our efforts to protect and maintain the confidentiality and security of customer, employee and vendor information, as well as non-public information about our Company. Although the Board of Directors as a whole is ultimately responsible for the oversight of our risk management function, the Board of Directors uses its committees to assist in its risk oversight function. The Audit Committee of our Board of Directors has primary responsibility for our cybersecurity risk identification and mitigation activities, and that Committee and senior management provide reports regularly to the Board of Directors.
The Audit Committee receives periodic reports from management, including our CTO and VP, IT. These reports encompass a broad range of topics, such as our cybersecurity risks, the current cybersecurity landscape and the status of ongoing cybersecurity initiatives. Furthermore, management informs the Audit Committee as deemed necessary, about any notable cybersecurity incidents.
Our management team, including our CTO and VP, IT, is responsible for assessing and managing our material risks from cybersecurity threats. The VP, IT’s team has primary responsibility for the day-to-day operation and implementation of our overall cybersecurity risk management program and supervises both our internal cybersecurity team and our retained external cybersecurity consultants. The VP, IT’s team also supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in the IT environment.
Our CTO’s background includes more than 20 years of experience in the technology domain, with 15 years in the retail industry, leading e-commerce implementations and large scale transformation projects like adopting cybersecurity best practices. Our VP, IT has more than 30 years of experience implementing security in complex manufacturing and retail environments. Their combined in-depth knowledge and experience are instrumental in developing and executing our cybersecurity risk management program.
The Company’s management maintains and implements a written Cyber Security Incident Response Policy and Cyber Security Incident Response Plan, both of which are reviewed and updated on a periodic basis. In the event we identify a potential cybersecurity, privacy or other data security issue, we have defined procedures for responding to such issues, including procedures that address when and how to engage with Company management, the Audit Committee, our Board of Directors, other stakeholders and law enforcement when responding to such issues.