Zumiez Inc 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

Zumiez Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 16:04:53 EDT.

Filings

10-K filed on 2024-03-14

Zumiez Inc filed an 10-K at 2024-03-14 16:04:53 EDT
Accession Number: 0000950170-24-031449

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. C YBERSECURITY Risk Management and Strategy Overview At its core, our cybersecurity program is the collection of people, processes and technologies that are designed to protect our networks, computers and data from attack, damage, or unauthorized access. The cybersecurity program is also part of a broader cybersecurity framework, which involves how we assess and manage cybersecurity threat risks and how this integrates into our overall risk management framework. While the foregoing summary is specific to our North America business operations we believe that the cybersecurity programs of our International business operations are consistent with the approach and framework outlined below and are appropriate for the scope and scale of their operations. The Security and Compliance Team, within our IT department, takes the lead role in helping to ensure that we maintain comprehensive technologies and programs to ensure our systems are effective and prepared for cybersecurity risks. The Security and Compliance Team is led by the Security and Compliance Program Manager and consists of a Lead Security Engineer and a Security Analyst. The Security and Compliance Team works very closely with our team across the IT department and with several different third parties who provide expertise in different areas such as threat hunting and penetration testing. Objectives and Key Principles and Priorities The objective of the Security and Compliance Team is to build practices within the company to define, implement, enforce, and measure our security, compliance and disaster recovery readiness. In doing so, it utilizes some of the following key guiding principles and priorities: Alignment . Working within the organization to clearly define the need for secure computing practices, gaining buy-in on this need and the development of a mindset across the organization around secure computing. Measurement and Visibility . Developing measurement and reporting methods which inform our stakeholders both in the business as well as external audit and other outside entities as to compliance with various security frameworks and regulatory obligations. Protection . Using a commonly accepted industry framework to build and ensure the enforcement of policies and procedures which secure the data and systems of all our stakeholders. Response . Ensuring that that if a security incident occurs there is a clear and well understood response plan which is followed by all response participants. Resources and Tools . Identifying the resources needed to run the cybersecurity program commensurate with the size and complexity of our company, including identifying and implementing appropriate tools and systems to help strengthen our security posture. On a day-to-day basis and from a project perspective, the Security and Compliance Team undertakes the following activities: Builds and reviews reports on newly identified security threats. Monitors various internal security toolsets including EDR (Endpoint Detection and Response), email security and logging from company firewalls and other security related systems and takes action to prevent or resolve incidents identified by monitoring. Ensures that appropriate vendor patches/configurations are applied to the various internal systems that operate to maintain a secure environment. Works with various teams with the IT department to ensure that company servers and data are properly backed up and that compliance requirements and security best practices are following during new system implementations. 21 Deploys and tunes various security and monitoring platforms. Manages the North America Annual PCI (Payment Card Industry) review and consults with Zumiez international entities regarding PCI. Provides evidence gathering for, and conducts walk throughs with, internal and external audit teams for internal control over financial reporting related to Section 404 of the Sarbanes-Oxley Act of 2002 (SOX Controls). Maintains a system of security policies and procedures within the IT department related to cybersecurity and compliance requirements, primarily related to PCI compliance and SOX Controls. Framework for Cybersecurity Controls We have implemented risk-based controls to protect our networks, computers and data. To this end, we utilize the Center for Internet Security (CIS) version 8.0 framework, which is comprised of eighteen critical security controls. The CIS framework is based on the COSO (Committee of Sponsoring Organizations on the Treadway Commission) and NIST (National Institute of Standards and Technology) frameworks and provides a highly actionable way to implement those frameworks and maps directly to other compliance requirements relevant to us, including PCI compliance and SOX controls (briefly discussed above). Use of Third Parties We work with a third party that provides us with threat hunting services via an Endpoint Detection and Response (EDR) platform. This team proactively searches for newly uncovered threats based on up-to-the-minute intelligence on the cybersecurity threat landscape and their knowledge of the Zumiez environment. Upon discovery of a potential threat, the threat hunting team provides initial remediation guidance. We also conduct periodic penetration testing of our systems. This testing is performed by a qualified third-party testing company and is in alignment with our CIS controls. Penetration testing is meant to provide us with information on the security of a particular system or application. These findings then can be used by us to inform remediation work on a go-forward basis. Cybersecurity Insurance. We maintain what we believe are appropriate levels of cybersecurity insurance that covers settlements, judgments and defense costs arising out of a failure of network security, a privacy breach, media liability, business income loss resulting from a cyber event and for cyber extortion coverage. This cybersecurity insurance coverage also provides for the following breach response services in connection with incidents involving the theft, loss or unauthorized disclosure of third-party information and computer system security breaches: Computer expert services (such as a cybersecurity firm to determine the existence and cause of an actual or suspected electronic data breach or a PCI forensic investigator in connection with investigations dealing with credit card data) Legal services Notification services to provide notification to impacted individuals Call center services Breach resolution and mitigation services, including credit monitoring and identity theft monitoring and Public Relations and crisis management expenses. Cybersecurity Incident Response Plan We have a Cybersecurity Incident Response Plan which is maintained by the Security and Compliance Team. The Incident Response Plan establishes what people and organizations need to be engaged in the event of a significant 22 incident. The Incident Response Plan also provides templates for technical resolution, documentation and communication to internal stakeholders as well as insurers and governmental and other regulatory agencies. Risk Mitigation We also manage cybersecurity risk by limiting our threat landscape. For example, as an omni-channel retailer, we accept credit and debit cards via all sales channels and protecting cardholder data is a critical component of our security practices. Accordingly, PCI compliance (discussed briefly above) is very important and we engage an external qualified assessor to audit our compliance and to provide us with a report on compliance that is also shared with various payment providers. To help reduce our exposure to unauthorized access of cardholder data, we have utilized a strategy of minimizing or eliminating the storage of, and unencrypted transmission of, cardholder information across our various systems. Moreover, our businesses do not involve or represent national infrastructure, the likes of which are common targets of cyber attackers (e.g., energy, oil & gas, transportation, communications, banking and financial systems, etc.). We recognize that cyber threats are a permanent part of the risk landscape and that new threats are constantly evolving. For these and other reasons, cybersecurity is a top risk management priority at Zumiez. Like many companies, we face a number of cybersecurity risks in the day-to-day operation of our business. Although to date these risks have not materialized into any instances or series of instances that have had a material adverse effect on our business or otherwise caused material harm to the company, we have, on occasion, experienced cybersecurity threats to our data and information systems, including phishing attacks. For more information about the cybersecurity risks we face, see the risk factor entitled “If we fail to meet the requirements to adequately maintain the privacy and security of personal data and business information, we may be subject to adverse publicity, litigation and significant expenses in Item 1A Risk Factors. Governance As discussed above, the Security and Compliance team takes a lead role in helping to ensure that we maintain comprehensive technologies and programs to ensure our systems are effective and prepared for cybersecurity risks. This team is supported by our Zumiez North America Cybersecurity Team, which consists of the Security and Compliance Program Manager, the Director of Infrastructure IT, the Vice President of IT, the Chief Financial Officer and the Chief Legal Officer. Additional support and guidance are provided by the Zumiez North America IT Steering Committee, which consists of the Chief Financial Officer, Chief Legal Officer, the Executive Vice President of North American Consumer Teams, the Vice President of IT, the Director of Infrastructure IT and the Senior Program Manager of Digital Commerce. Together, the Zumiez North America Cybersecurity Team and the Zumiez North America IT Steering Committee provide guidance and oversight to the Security and Compliance Team in alignment with the company s overall risk management and oversight framework. Members of management, including our Chief Legal Officer, regularly report on the company s cybersecurity matters to our board s Audit Committee. The Audit Committee has been assigned the responsibility for reviewing and discussing with management the company s major operational, legal and regulatory risks, including data security and privacy and the company s policies to identify and manage cybersecurity risks. In order to inform the Audit Committee of the planning and execution of our cybersecurity program, several different reports are provided from management. Annual Cybersecurity Plan . This plan is provided for the first quarter Audit Committee meeting and outlines the cybersecurity related strategic initiatives for the fiscal year. It outlines any new investments and projects and their alignment with the cybersecurity framework, as well as the expected timelines for the implementation of these activities. 23 Quarterly Cybersecurity Memos . At the 2 nd , 3 rd and 4 th quarter Audit Committee meetings, an update memo is provided to the Audit Committee that details the progress against the Annual Cybersecurity Plan, any updates on PCI compliance and SOX compliance activities and any emerging threats. The memo also contains a summary of significant cybersecurity threats over the past quarter both within our ecosystem and outside our ecosystem and any impact (if any) they may have had upon the company. Internal Audit Reports . Our internal audit function s reviews of our information security programs and controls are included in quarterly reports to the Audit Committee. The cybersecurity program and related risks are also discussed with the full Board of Directors as part of the review and discussions around the topic of risk management and the risk oversight framework that generally take place at the 3 rd quarter Board of Directors meeting. Any potentially significant information security issues that arise during the year are discussed with management and captured in our disclosure controls and procedures and are discussed with our Audit Committee chair between board meetings as appropriate.

Company Information