BIG 5 SPORTING GOODS Corp 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

BIG 5 SPORTING GOODS Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 13:03:55 EST.

Filings

10-K filed on 2024-02-28

BIG 5 SPORTING GOODS Corp filed an 10-K at 2024-02-28 13:03:55 EST
Accession Number: 0000950170-24-021829

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We maintain processes intended to identify, assess, and manage material risks from cybersecurity threats, and these processes are subject to oversight from our management and Board of Directors. As the global cybersecurity environment evolves, we have processes designed to help evaluate and prioritize our response to the impact of ever-growing cybersecurity risk on our operations, along with the potential related cost to our business. Our Information Security ( InfoSec ) department has responsibility for protecting our computer systems, related information technology ( IT ) infrastructure and information (including when processed by third-party service providers). However, given that cybersecurity is an enterprise risk, and not just an IT function, we maintain a cross-functional approach to cybersecurity. Accordingly, while many processes and policies are initiated by the InfoSec team, risks and controls are also assessed at the department and enterprise levels. Risk Management and Strategy Cybersecurity risk is identified and managed through a variety of means. However, there can be no assurance that our cybersecurity risk management processes, including policies, controls, or procedures, will be fully implemented, complied with or effective in protecting our systems and information. We have established an Enterprise Risk Management ( ERM ) program that focuses on the identification, evaluation, and mitigation of risks facing us as a whole. The ERM Committee, which consists of executives representing a broad base of our operations, meets semi-annually after updating its company-wide risk assessment, which includes cybersecurity risk. The Internal Audit team focuses on risks specific to Information Technology General Controls ( ITGC ) which impact financial reporting systems. The InfoSec department is responsible for implementing and maintaining our IT security-related policies including those policies which govern cybersecurity matters. The InfoSec department also engages independent third parties to conduct various types of risk assessments to evaluate our security program, including various types of independent security access testing and scoring of the security program against certain recognized cybersecurity frameworks. While we use such frameworks as a guide, this does not imply that we meet any particular technical standards, specifications or requirements. 21 The InfoSec department is comprised of three functional groups consisting of Security Operations ( SecOps ), Security Assurance & Compliance, and Identity & Access Management ( IAM ). The SecOps functional group consists of in-house cybersecurity analysts and managed services that are responsible for monitoring key cybersecurity alerts, investigating potential cybersecurity incidents, and searching for and responding to critical threats. Additionally, and as supported by the Security Assurance & Compliance functional group, we strive to comply with multiple applicable regulatory compliance frameworks, such as Internal Control Over Financial Reporting ( ICOFR ) and the Payment Card Industry Data Security Standard ( PCI DSS ), and have put in place related IT controls designed to play a role towards compliance. The primary objective of the IAM functional group is to balance the need for access to resources with the necessity for strong cybersecurity, compliance, and governance, which they attempt to achieve by implementing and maintaining access policies and authentication and authorization methods. We are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, operations, results of operations or financial condition. We face certain ongoing risks from cybersecurity threats and vulnerabilities that, if realized, could reasonably likely materially affect our business strategy, operations, results of operations or financial condition. Those and other risks and uncertainties are more fully described in Part I, Item 1A, Risk Factors , in this report. Governance The Board of Directors and senior management have the responsibility for overseeing our risk management as a whole. To assist with this responsibility, the VP of InfoSec reports to the Chief Information Officer ( CIO ) and hosts quarterly briefings for the Executive Security Committee ( ESC ), consisting of executives from various departments selected to monitor and evaluate IT-related security risks, including IT, operations, loss prevention, legal, internal audit and others. The VP of InfoSec also presents to the Board of Directors at least annually. Communications and reporting to the ESC and Board of Directors include key security program and performance metrics, internal and external threat landscape, status of cybersecurity initiatives and future projects under consideration. Results of the ERM program, including significant risks, risk evaluation and mitigation efforts, are presented to the Board of Directors at least annually. In addition to the regular reporting, cybersecurity incidents identified by InfoSec or executives that meet or have the potential of meeting certain materiality thresholds are communicated to senior management. After evaluation, if deemed appropriate, cybersecurity incidents are reported to the Board of Directors. Our management has significant experience in managing and leading IT and cybersecurity teams. The VP of the InfoSec Team holds several industry certifications including the Certified Information Security Manager ( CISM ), Certified Information Privacy Manager ( CIPM ) and the GIAC Strategic Planning, Policy, and Leadership ( GSTRT ) certifications. Prior to joining us, the VP of InfoSec helped to successfully develop and maintain security, compliance and privacy programs for two multi-national organizations. Our CIO has held this position for eight years, was the original designer of our security and compliance programs and has provided oversight of our security program for approximately 20 years.

Company Information