OXFORD INDUSTRIES INC - (OXM)

10-K Filing Date: April 01, 2024

Item 1C. Cybersecurity

We maintain a comprehensive process for identifying, assessing, and managing material risks from cybersecurity threats. We obtain input, as appropriate, for our cybersecurity risk management program from threat intelligence services, cybersecurity consultants, and multiple external sources. Our cybersecurity program is managed by our Head of Cyber Security, whose team is responsible for leading enterprise-wide cybersecurity strategy, risk assessment, and management policies, standards, architecture, and processes. The Head of Cyber Security has a master’s degree in cybersecurity, maintains industry certifications, and has over 20 years of prior work experience in various roles involving information technology, cybersecurity, and compliance. We augment our cybersecurity team with consultants, contract resources, and managed security service providers when needed. Our executive leadership team, along with input the Head of Cyber Security, are responsible for our overall enterprise risk management system and processes and regularly consider cybersecurity risks in the context of other material risks to the company.

Our Board has delegated to its Audit Committee oversight responsibility for cyber risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements. The Head of Cyber Security provides quarterly reports to our Audit Committee regarding cyber risk trends, technology security risks, projects to continually enhance our information security systems, cybersecurity strategy, and the emerging threat landscape. The Audit Committee reports any findings and recommendations, as appropriate, to the full Board for consideration. Our cybersecurity program is periodically evaluated by internal and external resources to evaluate and enhance the effectiveness of our information security policies, controls, and procedures. The results of those reviews are reported to senior management and the Audit Committee. As part of our cyber risk management program, we track and log security incidents across our enterprise and perform third-party risk assessments to identify and attempt to mitigate risks from third parties such as vendors and suppliers.

Despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents or provide assurances that we have not experienced an undetected cybersecurity incident. In addition, while we have implemented a risk management process to mitigate cybersecurity risks that arise from utilizing third party service providers, suppliers, and vendors, our control over and ability to monitor the security posture of third parties with whom we do business remains limited and there can be no assurance that we can prevent, mitigate, or remediate the risk of any compromise or failure in the security infrastructure owned or controlled by such third parties.

For more information on our cybersecurity related risks, see Part I, Item 1A. Risk Factors of this Report.