DILLARD'S, INC. - (DDS)
10-K Filing Date: March 29, 2024
ITEM 1C. CYBERSECURITY.
Risk Management and Strategy. The Company has developed an information security program to assess, identify, and manage material risks from cybersecurity threats. The program includes policies and procedures that identify how security measures and controls are developed, implemented, and maintained. An internal cyber risk assessment is conducted annually. The risk assessment is used by management to consider implementing and augmenting cybersecurity controls where feasible and appropriate with the intent of mitigating cybersecurity risk exposure. The Company employs a broad array of cybersecurity tools and controls to manage exposure to cybersecurity risks.
In addition, the Company retains third-party security firms in different capacities to provide some of these controls or monitor cybersecurity threats to our technology systems. For example, third parties are used to conduct independent
13
assessments, such as vulnerability scans and penetration testing, and to confirm PCI DSS compliance. Additionally, third parties are also used to monitor security alert systems.
The Company engages with a number of service providers in connection with normal business operations. The Company uses a variety of processes to address cybersecurity threats related to third-party service providers, including, where appropriate, pre-acquisition diligence, and imposition of contractual data security and privacy obligations. In addition, the Company is a member of an industry cybersecurity intelligence and risk sharing organization and participates in other information sharing groups and trade organizations to stay abreast of ongoing cyber risks, cyber incidents, and newly disclosed vulnerabilities and attack vectors.
The Company utilizes multiple training methodologies to ensure associate awareness of cybersecurity risks and practices. Associates are required to undergo security awareness training when hired and annually thereafter. In addition, the Company conducts tabletop exercises and other readiness exercises to enhance incident response preparedness. Disaster recovery plans have been put in place, and are tested, to prepare for potential disruptions in technology on which we rely.
The Company has an Information Technology Governance, Risk, and Compliance function to address information technology risks, including cybersecurity risks. Additionally, a working committee of management meets periodically to review, assess, and manage material risks from cybersecurity threats.
The Company has written cybersecurity incident response plans that are reviewed, and updated if necessary, at least annually. The plans identify cross-functional incident response teams which are comprised of representatives from management, including the Chief Information Security Officer (CISO) and General Counsel. The plans provide for notification to the Executive Committee of the Board of Directors and the full Board of Directors, as appropriate, of any actual or suspected significant cybersecurity incidents and require regular updates to these parties during the investigation of such incidents.
The Company is unaware of any risks from cybersecurity threats, including those from publicly disclosed incidents with respect to other companies, that have materially affected, or are reasonably likely to materially affect the Company, including strategies, results of operations, or financial condition.
Governance. The CISO, who reports to the Chief Information Officer (CIO), is the management position with primary responsibility for the development, operation, and maintenance of our information security program. The CISO has been with the Company for 40 years, is a certified CISSP, CRISC, and CIPM and oversees a team of experienced individuals.
In addition to the working committee meetings described above, the CISO and CIO meet regularly with the Company’s President and with other members of senior management to review the current state of the cybersecurity program and emerging threats to the Company.
Oversight of the information security program sits with the Company’s President and ultimately with the full Board of Directors. The full Board of Directors is briefed as appropriate but not less than annually on cybersecurity risks and the Company’s efforts to mitigate exposure from those risks.
Cyber threats are constantly evolving, and those threats and the means for obtaining access to information systems are becoming increasingly sophisticated. Cyber threats can come from unauthorized access, computer hackers, computer viruses, malicious code, ransomware, phishing, organized cyber-attacks and other security problems and system disruptions. The Company faces numerous attempts to access the information stored in its information systems. If successful, cyber incidents could expose the Company to loss or misuse of confidential information, including customer information, or disruptions of business operations. In addition, third-party service providers can experience breaches of their systems and products that impact the security of the Company’s information technology systems and proprietary or confidential information. The Company (or third parties it relies on) may not be able to fully, continuously, and effectively implement security controls as intended. We utilize a risk-based approach and judgment to determine the security controls to implement and it is possible we may not implement appropriate controls if we do not recognize or
14
underestimate exposure to a particular cybersecurity risk, or if the control is not feasible or may have an adverse impact on operations. In addition, cybersecurity controls, no matter how well designed or implemented, may only mitigate and not fully eliminate risks. Events, when detected by security tools or third parties, may not always be immediately understood or acted upon.