Boot Barn Holdings, Inc. - (BOOT)
10-K Filing Date: May 14, 2024
We believe cybersecurity is of critical importance to our success. We are susceptible to a number of significant and persistent cybersecurity threats, including those common to most industries as well as those we face as a retailer, operating in an industry characterized by a high volume of customer transactions and collection of sensitive data. These threats, which are constantly evolving, include data breaches, ransomware, and phishing attacks. We, and our vendors and suppliers, regularly face attempts by malicious actors to breach our security and compromise our information technology systems, and a cybersecurity incident impacting us or any vendor or supplier could significantly disrupt our operations and result in damage to our reputation, costly litigation and/or government enforcement action. Accordingly, we are committed to maintaining robust cybersecurity and data protection and continuously evaluate the impact of cybersecurity threats, considering both immediate and potential long-term effects of these threats on our business strategy, operations, and financial condition.
The Audit Committee, under oversight of the Board of Directors, has responsibility for oversight of risks from cybersecurity threats, and the assessment and management of cybersecurity risks is the responsibility of the Information Security (“INFOSEC”) team. The INFOSEC team is managed by the Vice President, Information Technology, who reports to our Chief Executive Officer. Our current Vice President, Information Technology and other members of our INFOSEC team collectively have more than 60 years of experience in information technology and extensive education and industry experience managing cybersecurity risks, developing and implementing cybersecurity policies, and responding to cybersecurity incidents.
Under the oversight of the Audit Committee, our management and the INFOSEC team have established comprehensive processes for identifying, assessing and managing material risks from cybersecurity threats, and these processes are integrated into our overall enterprise risk management program. Our approach is proactive and adaptive, featuring regular security assessments, third-party audits, team member training, and continuous improvement of our cybersecurity infrastructure. We work to align our practices with industry best practices and regulatory standards. We continually evaluate our information technology systems to identify new and monitor existing cybersecurity risks based on observed activity on the systems. We evaluate the nature and severity of identified risks, and whether changes to the system are necessary. We perform annual cybersecurity training for all employees with access to our systems and conduct regular test phishing campaigns. We engage a third-party to assist in monitoring, preventing and detecting potential cybersecurity vulnerabilities and incidents, including performing scans of our information technology systems and penetration testing. We use the results of the various tests to inform our response plan, update our systems, and train employees.
Upon the identification of a cybersecurity incident, the Incident Response Team (IRT) initiates our Security Incident Response Policy. This includes determining the scope and risk level of the incident, the incident response, and the steps necessary to reduce the likelihood of reoccurrence. Depending on the severity of the incident, the IRT communicates with the appropriate stakeholders, which may include the Audit Committee. In addition, a summary of cybersecurity incidents, results of testing, corporate security training and planned enhancements are reported to the Audit Committee at least quarterly by the Vice President, Information Technology.
Our third-party vendors and service providers also play a role in our cybersecurity. These third parties are integral to our operations but pose cybersecurity challenges due to their access to our data and our reliance for various aspects of our operations, including our supply chain. We have developed a third-party vendor risk management program to assess and manage the risks associated with third-party partnerships, particularly in data security and cybersecurity. We conduct due diligence before onboarding new vendors and maintain ongoing evaluations to ensure compliance with our security standards.
34
As of the date of this report, no cybersecurity incidents have had, either individually or in the aggregate, nor are we aware of any cybersecurity risks that are reasonably likely to have, a material adverse impact our business strategy, results of operations, or financial condition. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. For additional discussion of the risks we face from cybersecurity threats, see risk factor titled “Our management information systems and databases could be disrupted by system security failures, cyber threats or by the failure of, or lack of access to, our Enterprise Resource Planning system. These disruptions could negatively impact our sales, increase our expenses, subject us to liability and/or harm our reputation.” in Item 1A. “Risk Factors.”