URBAN OUTFITTERS INC - (URBN)
10-K Filing Date: April 01, 2024
Risk Management and Strategy
We are committed to safeguarding the personal information of our customers and potential customers as well as our own sensitive data and information. The full Board of Directors (the "Board") is responsible for the Company's general risk oversight, including cybersecurity and data privacy risks. Members of the Company's senior management also have day-to-day responsibility for risk management and establishing risk management practices. The Board oversees senior management in their risk management capacities, regularly reviewing and analyzing the Company's risk levels and reviewing and analyzing inventory risk each quarter as part of their review of quarterly financial statements. Members of the Company's senior management have an open line of communication to the Board and have the discretion to raise issues from time-to-time in any manner they deem appropriate.
The Audit Committee supports the Board by considering and reviewing the adequacy of the Company’s internal controls with management and the Company’s internal audit department, including the processes for identifying significant cybersecurity/data privacy risks or exposures, and elicits recommendations for the improvements to such procedures where desirable. The Audit Committee periodically reviews the Company’s data security and privacy policies, procedures and risks. Members of management are expected to report matters to the Audit Committee or to the Board as a whole, as appropriate. Management’s reporting on issues relating to risk management typically occurs through direct communication with directors or committee members as matters requiring attention arise.
We maintain a Data Privacy & Security working group that is responsible for setting data security and privacy policies, overseeing those policies, and tracking and reporting on data security and privacy performance. The working group is comprised of our Chief Information Security Officer, Global Data Privacy Officer, Chief Administrative Officer, and General Counsel. The working group reports to the Audit Committee at least annually. In addition, the Company has an Impact Committee that maintains functional working groups that focus on a number of issues, including Data Privacy & Security. The Impact Committee reports to the Board at least annually. The Company's Global Data Privacy Officer also reports to the Audit Committee at least quarterly and provides the Audit Committee with updates regarding the Company's data privacy environment. We also have a Chief Information Security Officer who reports to the Audit Committee at least annually regarding the Company's data security environment.
Our Chief Information Security Officer is certified as a Certified Information Systems Security Professional (CISSP) and has significant experience in monitoring, implementation and management within the disciplines of information and personal data security, disaster recovery, and asset management. He has over 10 years of service in U.S. Army Cyber Operations and within U.S. Army Cyber Command. Our Global Data Privacy Officer has served as our head of Internal Audit for nearly 10 years and has received privacy-related certifications from the International Association of Privacy Professionals (IAPP) including Certified Information Privacy Manager (CIPM) and Certified Information Privacy Professional / Europe (CIPP/e).
We perform an annual training exercise for all employees and hold several cybersecurity awareness campaigns throughout the year. Where deemed appropriate, we engage independent security professionals to evaluate the Company’s security environment. For example, we comply with Payment Card Industry Standards and are audited annually by a third party to confirm compliance with those Standards. In addition, the Company employs third party penetration testers to identify potential security weaknesses for evaluation and remediation. We also partner with government organizations and industry associations to share intelligence and quickly respond to emergent threats.
In order to identify, assess, protect, detect, respond to and recover from cybersecurity threats, we seek to employ multiple industry best practices, processes and controls to minimize the personal information in our possession, including pseudonymization, anonymization, tokenization and encryption. In addition, the Company maintains technical and organizational measures to ensure that personal information is accessible only by authorized personnel. In the event of a data breach, the Company is committed to notifying
17
impacted customers and/or appropriate government entities in accordance with applicable law without unreasonable delay and in all events within the time period specified by applicable law.
The Company plans to use reasonable, cost effective, and secure methods for notifications in the event of a data breach. While we have experienced and may continue to experience certain cybersecurity incidents, we do not believe any such incidents incurred to date have materially affected our Company, results of operations, or financial condition. Additional information about cybersecurity risks we face is discussed in Item 1A — "Risk Factors — Operational Risks — 'If we are unable to safeguard against security breaches with respect to our information technology systems, our business and our reputation may be adversely affected'," which should be read in conjunction with the information above.