COLUMBIA SPORTSWEAR CO 10-K Cybersecurity GRC - 2024-02-26

Page last updated on April 11, 2024

COLUMBIA SPORTSWEAR CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 16:16:16 EST.

Filings

10-K filed on 2024-02-26

COLUMBIA SPORTSWEAR CO filed an 10-K at 2024-02-26 16:16:16 EST
Accession Number: 0001050797-24-000032

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our management team is responsible for identifying, assessing and managing the material risks facing Columbia, supported by an enterprise risk management program. This program includes an annual enterprise risk assessment, during which interviews are conducted with independent directors and members of senior management seeking participants’ judgement and assessment of the material risks facing Columbia. The enterprise risk management program then monitors the risks identified and mitigation efforts underway through periodic meetings with senior management. Our enterprise risk management program addresses risks facing Columbia from cybersecurity threats impacting our internal systems and/or systems supported by third-party software providers. Our Chief Digital Information Officer (“CDIO”) and Chief Information Security Officer (“CISO”) are responsible for identifying, assessing and managing these risks. Our CDIO has served in various information technology and digital engineering roles for nearly 30 years. See Item 1 in this Annual Report on Form 10-K for further discussion of our CDIO’s background. Our CISO has served in various information technology and information security roles for over 20 years, including management of information security programs in the Department of Defense, private and public companies, as well as holds multiple industry certifications in information security. We leverage certain third-party providers and our internal Incident Response Team to alert us when a cybersecurity event occurs. Cybersecurity events may include unauthorized access, attacks on our resources, compromised accounts, malware, or ransomware. Upon alert of an event, we estimate the level of severity, create a response plan, and communicate to management as needed. Based on the estimated level of severity, timing of incident communication to management may range from immediate to quarterly. Our risk assessment process related to cybersecurity threats is subject to change in the future as threats may evolve over time. Our Information Security committee oversees this cybersecurity program and consists of senior management, including our CDIO, Chief Financial Officer and Chief Administrative Officer and General Counsel. At least quarterly, this committee reviews updates regarding cybersecurity threats and incidents that have occurred. Periodically, this committee approves cybersecurity strategy and initiatives proposed by our CISO. Our Board of Directors (“Board”) generally oversees Columbia’s risk management practices and processes. Annually, the Board reviews the results of the annual enterprise risk management program, including updates from our CISO related to cybersecurity matters. The Audit Committee also receives an update on the enterprise risk management program annually. The Board has delegated primary oversight of the management of cybersecurity risk to the Audit Committee. The Audit Committee annually reviews the strategies, investments and risk related to Columbia’s information technology systems, including a review of Columbia’s cybersecurity programs, and also receives quarterly updates from our CISO. The Board is informed of cybersecurity events to the extent they may materially impact Columbia or management otherwise believes they should be escalated. See Item 1A of this Annual Report on Form 10-K for more information of risks relating to cybersecurity, including the risk factors “We Rely on Information Technology Systems, including Third-Party Cloud-based Solutions, and Any Failure of These Systems May Result in Disruptions or Outages in Our E-Commerce and In-Store Retail Platforms, Loss of Processing Capabilities, and/or Loss of Data, Any of Which May Have a Material Adverse Effect on Our Financial Condition, Results of Operations or Cash Flow” and “A Security Breach of Our or Our Third- COLUMBIA SPORTSWEAR COMPANY | 2023 FORM 10-K | 17 Table of Contents Parties’ Systems, Exposure of Personal or Confidential Information or Increased Government Regulation Relating to Handling of Personal Data, Could, Among Other Things, Disrupt Our Operations or Cause Us to Incur Substantial Costs or Negatively Affect Our Reputation”.

Company Information