Lulu's Fashion Lounge Holdings, Inc. 10-K Cybersecurity GRC - 2024-03-06

Page last updated on April 11, 2024

Lulu’s Fashion Lounge Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-06 16:01:38 EST.

Filings

10-K filed on 2024-03-06

Lulu’s Fashion Lounge Holdings, Inc. filed an 10-K at 2024-03-06 16:01:38 EST
Accession Number: 0001558370-24-002599

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have a cross-departmental approach to addressing cybersecurity risk, including input from our Board of Directors (the Board ), Board committees, employees and third-party experts. The Board, Audit Committee, Technology and Innovation Committee and senior management devote significant resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation. Our information technology ( IT ) team reviews cybersecurity risks periodically, and we have a set of Company-wide policies and procedures concerning cybersecurity matters, including policies related to encryption standards, remote access, multi factor authentication, confidential information, the use of the internet, social media, email and wireless devices and incident response. These policies go through an internal review process by members of management and appropriate Board committees, as applicable. The Company s President and Chief Information Officer, who has over a decade of experience leading information and cyber security oversight, is responsible for developing and implementing our information security program, overseeing our IT team and reporting on cybersecurity matters to the Technology and Innovation Committee. We view cybersecurity as a shared responsibility, and we consult with third-party resources and advisors as needed on information security maturity assessments, penetration testing, dark web reviews, best practices to address new challenges, and, when applicable, digital forensics. All employees are required to complete annual information security trainings and have access to more frequent online information security trainings. We continue to prioritize our investments in IT security, including additional end-user training, using layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting capabilities and engaging experts. We regularly test defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing our operational policies and procedures with third-party experts. At the management level, our IT security team regularly monitors alerts and meets to discuss threat levels, trends and remediation. Further, we conduct periodic external penetration tests, bug bounty hackathons and maturity assessments to assess our processes and procedures and the threat landscape. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, vendors and intellectual property. In addition to assessing our own cybersecurity preparedness, the Audit Committee and the IT security team also consider and evaluate cybersecurity risks associated with use of third-party service providers. We recently created a new Technology and Innovation Committee of our Board to oversee jointly, alongside the Audit Committee, matters of technology, innovation, cybersecurity and information security. The Technology and Innovation Committee also provides advice and guidance to management on these matters. The Technology and Innovation Committee, Audit Committee and the full Board actively participate in discussions with management and amongst themselves regarding cybersecurity risks. The Technology and Innovation Committee receives quarterly cybersecurity reports, which include a review of key performance indicators, test results and related remediation, and recent threats and how the Company is managing those threats. The Audit Committee oversees cybersecurity disclosures and receives periodic reports from management and the Technology and Innovation Committee. Further, the Technology and Innovation Committee and Audit Committee periodically discuss the Company s actions to identify and detect threats, as well as its cybersecurity strategic roadmap. In the fiscal year ended December 31, 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, despite our efforts, we 51 Table of Contents cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. For additional information about these risks, see Risks Related to Our Technology Infrastructure in Item 1A-Risk Factors.

Company Information