KIRKLAND'S, INC - (KIRK)
10-K Filing Date: March 29, 2024
The Company depends on the confidentiality, integrity and availability of information systems and data. We have systems and processes in place to assess, identify and manage cybersecurity incidents and those systems and processes are integrated into our overall risk management system.
Internal and third-party risks are reviewed, monitored and managed by the Company's IT ISC2, SANS, CompTIA certified security partners and external expert consultants. The Company annually engages third-party experts to assess the effectiveness of system and network security. Periodically, an external independent consultancy team conducts a comprehensive review of the Company's cybersecurity program using the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. Additionally, the Company is assessed annually by an independent third party for compliance with the PCI-DSS standard, for which the Company receives an attestation of compliance.
The Company’s security awareness program seeks to create a culture of shared responsibility for the security of sensitive data and systems. There is required annual security training and quarterly phishing campaigns for team members with access to Company email. Annually, members of the IT department are required to take IT specific training, and store employees take operations and security training. A third-party led social engineering campaign that targets Kirkland’s employees is carried out on an annual basis. Key performance indicators and periodic testing of training materials ensure the program’s effectiveness.
The Company’s process for identifying and managing first and third-party risks from cybersecurity threats includes proactive threat hunting, continuous monitoring of the Company’s systems and network for cybersecurity
24
events, and regular testing of the Company’s Security Incident Response Plan, Business Continuity Plan, and Disaster Recovery Plan. An external managed security services provider and an industry-leading security tool continuously monitors, detects, and responds to the Company’s systems and network for cybersecurity threats. The Company’s IT security partners evaluate the escalated threats, and if necessary, take steps to contain and recover from pervasive threats in accordance with the Company’s Security Incident Response Plan. A third-party with extensive experience in incident response and forensics is on retainer to assist with incidents. The Incident Response Plan includes reporting and escalation procedures to inform the Company’s executives, the Audit Committee, and full Board of Directors, as appropriate, to enable them to carry out their oversight responsibilities, and to ensure timely compliance with applicable reporting rules. The Company’s Incident Response Plan and Disaster Recovery Plan include procedures for business recovery and are tested at least annually. The Company also maintains a cyber insurance policy that provides coverage for material IT security incidents.
No risks from cybersecurity threats have materially affected, nor has the Company identified any specific risks from known cybersecurity threats that are reasonably likely to materially affect, the Company, including our business strategy, results of operations or financial condition. Please see “Item 1A. Risk Factors — Risks Related to Technology and Data Security” for additional discussion of cybersecurity risks applicable to the Company.
Management Responsibilities
Our cybersecurity program is managed by our Chief Technology Officer (“CTO”). Our CTO has 10 years of experience in information technology and cybersecurity, having been at the Company since 2023. The CTO, along with the Company’s IT security partners, is responsible for reducing cybersecurity risk by maintaining a proactive security posture aligned with current threats, detecting cybersecurity events, responding quickly and building procedures to rapidly recover, if needed.
Board Responsibilities
On behalf of the Board of Directors, the Audit Committee provides oversight of the Company’s management of cybersecurity risk. The Audit Committee quarterly reviews the Company’s cybersecurity risks, incidents, audits, assessments, crisis readiness, awareness activities and compliance with cybersecurity and privacy laws and regulations. The Company’s Chief Technology Officer briefs the Audit Committee quarterly on active and emerging cybersecurity threats and efforts to strengthen the Company’s defenses against these threats.