Revolve Group, Inc. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Revolve Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:30:48 EST.

Filings

10-K filed on 2024-02-27

Revolve Group, Inc. filed an 10-K at 2024-02-27 16:30:48 EST
Accession Number: 0000950170-24-021244

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk Management and Strategy We have implemented policies and processes to evaluate and manage cybersecurity risks, incorporating them into our broader risk management framework. We regularly examine cybersecurity threats that could compromise our information systems security or data. Every quarter, we evaluate our cybersecurity posture and reassess whether significant changes in our business could impact our digital infrastructure. These assessments aim to identify potential internal and external threats, estimate their probability and possible impact, and gauge the effectiveness of our current policies and processes in mitigating these threats. Following these risk assessments, we evaluate whether and, if so, how to re-design, implement and maintain reasonable safeguards to minimize identified risks and reasonably address any identified gaps in existing safeguards. We also regularly monitor the effectiveness of our safeguards. We devote significant resources and designate high-level personnel, including our chief architect, who reports to our co-chief executive officer, to manage the risk assessment and mitigation process. We regularly check and improve our security measures and educate our employees about them with the help of our information technology team. Key personnel are made aware of our cybersecurity policies through trainings. We engage third parties in connection with our risk assessment processes. We require all external service providers who may impact our cybersecurity risks to certify that they can set up and maintain proper security consistent with all applicable laws, manage security effectively for their work with us, and quickly inform us if they think their security has been breached. We have never experienced a cybersecurity incident that was determined to be material, although, like many technology-dependent companies operating in the current environment, we have experienced cybersecurity incidents in the past. For additional information regarding whether any risks from cybersecurity threats are reasonably likely to materially affect our company, including our business strategy, results of operations or financial condition, please see the section titled Risk Factors. Governance One of the key functions of our board of directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our board of directors monitors and assesses strategic risk exposure, and our executive officers manage the material risks we face. Our board of directors administers its cybersecurity risk oversight function directly as a whole and through the audit committee. Our chief architect, who has over 15 years of experience in software engineering, has served as our chief architect for seven years, works with our cybersecurity management committee to manage our cybersecurity policies and processes, including those described in the Risk Management and Strategy section above. They stay informed and manage how we identify, address, prevent and resolve cybersecurity issues and related matters. This is done through regular checks of our systems, tests to identify security weaknesses and maintaining our incident response plan. Our chief architect and the cybersecurity management committee are responsible for our cybersecurity rules and methods, like those described in the Risk Management and Strategy section. They stay updated and track how we 50 prevent, identify, lessen and address cybersecurity issues. This is done through regular checks of our systems, tests to find security weaknesses and having a plan ready to respond to any incidents. In addition to regular meetings, the chief architect and co-chief executive officer regularly discuss active, emerging and potential cybersecurity risks. They keep each other informed about significant changes affecting cybersecurity, and they periodically update our board of directors or the audit committee about these changes as well as our cybersecurity risks, so that our board of directors can administer its oversight function as part of its broader oversight and risk management.

Company Information