RALPH LAUREN CORP - (RL)

10-K Filing Date: May 23, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
We have established a cybersecurity risk management program that is integrated into our overall enterprise risk management system and provides us support in assessing, identifying, and managing material risks from cybersecurity threats. Our enterprise risk management program is fully updated annually and periodically updated and supplemented as new risks and opportunities are identified by management, including those related to cybersecurity risks. Our longstanding information security risk program is structured according to the National Institute of Standards and Technology Cybersecurity Framework, industry best practices, privacy legislation, and other global and local standards and regulations. This program includes a defense-in-depth approach with multiple layers of security controls, including network segmentation, security monitoring, endpoint protection, and identity and access management, as well as data protection best practices and data loss prevention controls.
Our cybersecurity awareness program includes regular phishing simulations, annual general cybersecurity awareness training, and data protection modules, as well as more contextual and personalized modules for targeted users and roles. We incorporate external expertise and guidance in all aspects of our cybersecurity program. We complete annual internal security audits and vulnerability assessments of the Company's information systems and related controls, including systems affecting personal data. In addition, we leverage cybersecurity specialists to complete annual external audits and objective assessments of our cybersecurity program and practices, including our data protection practices, as well as to conduct targeted attack simulations. We continually enhance our information security capabilities in order to protect against emerging threats, while also increasing our ability to detect and respond to cyber incidents and maximize our resilience to recover from potential cyber-attacks. We have a robust incident response plan in place that provides a documented runbook for handling high severity cybersecurity incidents and facilitates coordination across various corporate functions. We also perform simulations and drills at both a technical and leadership level at least annually. Additionally, we have purchased network security and cyber liability insurance in order to provide a level of financial protection should a data breach occur.
Our cybersecurity framework incorporates a robust third-party information technology ("IT") risk management program to ensure our vendors meet our high security standards. We leverage industry best practices like Standardized Information Gathering ("SIG") and recognized security certifications, including SOC 2, ISO 27001, and PCI-DSS, to assess our vendors. We also conduct thorough penetration testing and require vendors to adopt appropriate security controls through contractual agreements.
We thoroughly assess potential vendors based on their role and the sensitivity of the IT resources they access. All vendors follow a consistent risk management process, ensuring every vendor meets our high standards. We select vendors who prioritize data protection and comply with relevant privacy regulations. Furthermore, we enforce strict protocols, including limiting access to necessary information, ensuring data usage is confined to agreed-upon purposes, and mandating the deletion or return of data upon service termination. Through these measures, we collaborate with third-party vendors while implementing controls to safeguard our information.
Our business strategy, results of operations, and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of any previous cybersecurity incidents; however, we cannot assure that cybersecurity threats will not be material to us in the future. During the three fiscal years presented within this Form 10-K, we have not experienced a known material information security breach nor incurred material breach-related expenses. For a detailed discussion of significant risk factors regarding cybersecurity threats, see Item 1A — "Risk Factors Risks Related to Information Systems and Data Security."
Governance
Our Board of Directors is responsible for overseeing management's overall approach to risk management, including cybersecurity risk. In addition, the Committees of the Board report to the full Board at regularly scheduled Board meetings on any identified material risks within that Committee's area of responsibilities and oversight, as well as when new risks arise. The Audit Committee has responsibility for oversight of the Company's cybersecurity risks.
39


The Audit Committee reviews our cybersecurity program on a quarterly basis, including through review of a quarterly enterprise risk management report, and periodically convenes special meetings to conduct deeper preparedness, enterprise risk and business continuity reviews. These special meetings are open to the full Board to attend. In addition, the full Board receives a regular cybersecurity update at least once annually. All of these meetings include our Chief Digital and Technology Officer ("CDTO") and Chief Information Security Officer ("CISO").
Our cybersecurity program is led by our CISO, a seasoned leader in the cybersecurity field with over 25 years of extensive experience across cybersecurity, IT, risk management, and regulatory compliance. Holding both a master's in computer engineering and business administration, our CISO is also a Certified Information Systems Security Professional ("CISSP"). Reporting directly to our CDTO, our CISO leads a dedicated team of information security and risk professionals. Together, they are entrusted with the crucial task of managing our information security and data protection operations.
Collaborating closely with business stakeholders, our CISO shapes a comprehensive cybersecurity strategy that serves as the cornerstone of our information security programs, supporting effective cybersecurity risk management. Leading the cybersecurity risk assessment process, our CISO utilizes a robust incident response plan to handle high-severity cybersecurity incidents promptly. In cases of potentially material cyberattack incidents, or a series of smaller similar incidents, our CISO promptly engages a cross-functional incident response team to determine the materiality of the incident and whether public disclosure is necessary.
The CISO informs our management leadership team on security matters and fosters a strong partnership with our corporate legal team to ensure compliance with legal, regulatory, privacy, and contractual security requirements.
40