GUESS INC - (GES)

10-K Filing Date: April 01, 2024
ITEM 1C. Cybersecurity.
Risk Management and Strategy
We have developed an information security program that is designed to address material risks from cybersecurity threats and our cybersecurity risk management processes are integrated into our overall risk management program. The program includes policies and procedures that identify how security measures and controls are developed, implemented, and maintained. A cybersecurity risk assessment, based on an internationally recognized methodology, is conducted annually.
The cybersecurity risk assessment process includes three parts: (1) identification of assets such as information, services, software, and their dependencies, (2) an assessment of the criticality of the assets based on factors of confidentiality, integrity and availability, and (3) an assessment of other criteria to determine the impact a threat can have on each asset and the likelihood that such a threat occurs. Based on the risk assessment process, risk-based analysis, and using an internationally recognized information security framework as a reference, security controls are chosen.
Specific controls that are used to some extent as part of the information security program include endpoint threat detection and response, privileged access management, logging and monitoring involving the use of security information and event management with monitoring by a security operations center, multi-factor authentication, firewalls and intrusion detection and prevention, vulnerability and patch management, and security awareness training for employees and long-term consultants. Third-party security firms are used in different capacities to

35


provide or operate some of these controls and technology systems, including cloud-based platforms and services. For example, third parties are used to conduct independent assessments, such as vulnerability scans and penetration testing. We use a variety of processes to address cybersecurity threats related to the use of third-party technology and services, including pre-acquisition diligence, imposition of contractual obligations, and performance monitoring.
We have a written incident response plan that uses a severity classification process to identify incidents to escalate to executive management and determine whether the impact of the incident is material. We also conduct periodic trainings and tabletop exercises to enhance incident response preparedness. We are a member of an industry cybersecurity intelligence and risk sharing organization. Employees undergo initial cyber security awareness training when hired and maintenance cyber security awareness training annually.
To date, we do not believe that known risks from cybersecurity threats, including as a result of any previous cybersecurity incidents that we are aware of, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, we can give no assurance that we have detected or protected against all cybersecurity incidents or cybersecurity threats. Please refer to the risk factors under the heading “Risks Related to Data Privacy and Cybersecurity” in Part I, Item 1A of this Report for additional information about the risks we face associated with cybersecurity threats.
Governance
The Chief Information Security Officer (CISO) is the management position with primary responsibility for the development, operation, and maintenance of our information security program. The Company’s CISO has cybersecurity experience that includes being a lead auditor for ISO/IEC 27001 with knowledge of both operations and governance. In his previous position as Chief Technology Officer for an international managed security service provider, he worked as Virtual CISO, Incident manager and security auditor for several multinational companies. We have established a Cybersecurity Steering Committee to provide management level oversight of cybersecurity. The Cybersecurity Steering Committee reviews the annual risk assessment and provides comments on the overall information security program. Oversight of the information security program at the Board level sits with the Audit Committee. The CISO provides quarterly updates on the information security program to the Audit Committee and more frequently as circumstances require.

36