Aaron's Company, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Aaron’s Company, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:18:19 EST.

Filings

10-K filed on 2024-02-29

Aaron’s Company, Inc. filed an 10-K at 2024-02-29 16:18:19 EST
Accession Number: 0001821393-24-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy As a part of the Company s overall risk management and compliance programs, we have developed an enterprise cybersecurity program designed to identify, protect, detect, respond to and recover from cybersecurity and other data security threats. This enterprise cybersecurity program is based in-part on, and its maturity is measured using, the U.S. Department of Commerce s National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Our enterprise cybersecurity program classifies potential threats by risk levels and we typically prioritize our threat mitigation efforts based on those risk classifications, while focusing on maintaining the resiliency of our systems. In recent years, we have increased our investments in our ability to identify, protect, detect, respond to and recover from cybersecurity and other data privacy risks within our environment. In the event we identify a potential cybersecurity, privacy or other data security issue, we have defined procedures for responding to such issues, including procedures that address when and how to engage with Company management, our Board of Directors, third-party advisors, other stakeholders and law enforcement when responding to such issues. With respect to cybersecurity and other data privacy risks associated with third parties, the Aaron’s Business has a Third Party Oversight Program that manages the risk of our third party relationships. We assess our vendors’ compliance with applicable laws, regulations, and industry standards and negotiate appropriate contractual provisions to mitigate risk. We expect each of our vendors to appropriately manage its internal risks as well as risks the relationship poses to our Company. We also understand the importance of collecting, storing, using, sharing and disposing of personal information in a manner that complies with all applicable laws. To facilitate compliance with those laws, we have privacy policies in place regarding our treatment of customer data in both our offline and online retail environments, as well as policies relating to the protection of employee and vendor data. Our policies provide explanations of the types of information we collect, how we use and share information, and generally describe the measures we take to protect the security of that information. Our policies also describe how customers may initiate inquiries and raise concerns regarding the collection, storage, sharing and use of their personal data. In addition, our team members also must complete mandatory training to understand the behaviors and technical requirements necessary to safeguard information resources at the Company. Some of the other steps we have taken to detect, identify, classify and attempt to mitigate data security and privacy risks include: 35 Establishing a new Cyber Incident Sub-Committee of the management level Disclosure Committee that is responsible for evaluating the Company s disclosure obligations relating to matters of cybersecurity and related incidents. Adopting and periodically reviewing and updating information security and privacy policies and procedures; Conducting targeted audits and penetration tests throughout the year, using both internal and external resources; Conducting security maturity posture assessments, including engaging an industry-leading, nationally-known third party to independently evaluate our information security maturity on a regular basis; Utilizing technologies, processes, and capabilities designed to protect our systems and data and detect potential suspicious activity; Complying with the Payment Card Industry Data Security Standard; Adopting a vendor risk management program, which includes receiving the results of cybersecurity and data privacy audits conducted on certain vendors, classifying vendor, service provider or business partner risk based on several factors and evaluating and monitoring related risk mitigation efforts; Providing security and privacy training and awareness to all of our team members; Conducting periodic phishing simulations to test our team members responses to suspicious emails and to inform targeted cyber awareness training; and Maintaining cyber liability insurance. We have experienced targeted and non-targeted cybersecurity attacks and incidents in the past that have resulted in unauthorized persons gaining access to our information systems, and we could in the future experience similar attacks. To date, no cybersecurity attack or incident, or any risk from cybersecurity threats, has materially affected or has been determined to be reasonably likely to materially affect the Company or our business strategy, results of operations, or financial condition. For additional information regarding the risks from cybersecurity threats we face, see the section captioned “Risks Relating to Our Business Cyber-Security and Technology Risks” under Part I, Item 1A “Risk Factors” above. Governance Our Board of Directors recognizes the important role of information security and mitigating cybersecurity and other data security threats, as part of our efforts to protect and maintain the confidentiality and security of customer, employee and vendor information, as well as non-public information about our Company. Although our full Board of Directors has ultimate responsibility with respect to risk management oversight, the Audit Committee of our Board of Directors is charged with, among other matters, overseeing risks attendant to the identification and mitigation of cybersecurity risks. As part of this risk oversight role, our full Board of Directors and the Audit Committee periodically receive reports from management, external professional advisors and others regarding various types of risks faced by the Company and the Company s risk mitigation efforts related thereto, including cybersecurity risks and related mitigation efforts. The Board and the Audit Committee receive presentations from management regarding trends in cybersecurity risks and risk mitigation initiatives and plans, including briefings on recent and notable breaches at other companies and key takeaways and lessons learned that are applicable to our business. The Board and the Audit Committee also review key cybersecurity-related benchmarks for the Company. Furthermore, our Board of Directors and Audit Committee review our cybersecurity-related investments, initiatives and plans with management. In addition, we have a dedicated team of employees overseeing our day-to-day cybersecurity and data privacy initiatives, led by our Chief Information Security Officer, in consultation with internal and external attorneys and other professional advisors. Our cybersecurity and data privacy employees have a vast background in cybersecurity, including prior relevant experience in government entities, network security, cybersecurity consulting firms, and a variety of industry standard certifications. We also have an Enterprise Information Security Steering Committee (EISSC) comprised of a cross-functional group of senior executives and other team members that meets on a regular basis to provide oversight with respect to our cybersecurity and data privacy identification, protection, detection, response and recovery-related efforts. The EISSC and other senior personnel, including the Audit Committee and our Board of Directors, are informed of cybersecurity incidents as prescribed by the Company s incident response plan and related processes, procedures, and standards. Our internal audit function, along with external consultants, are also participants in our cybersecurity risk identification and analysis processes. Our Chief Information Security Officer regularly provides updates to the Audit Committee and to our Board of Directors regarding the status and effectiveness of our cybersecurity and data privacy programs. 36

Company Information