ROCKY BRANDS, INC. 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

ROCKY BRANDS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 09:13:00 EDT.

Filings

10-K filed on 2024-03-15

ROCKY BRANDS, INC. filed an 10-K at 2024-03-15 09:13:00 EDT
Accession Number: 0001437749-24-007987

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Risk Management & Strategy Rocky Brands recognizes the critical importance of developing, implementing, and maintaining a robust information security program to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. We have established information security programs and policies, including processes for identifying, assessing, and managing risks arising from cybersecurity threats. These processes involve regular assessments of our information systems and infrastructure to identify vulnerabilities and threats. We focus on executing a centralized information technology and cybersecurity program. Our Company-wide approach is to be positioned as one security program, one posture and one roadmap for the enterprise. This platform is administered across our departments by our cybersecurity team led by our Senior Vice President of Information Technology. Our information security programs and policies are aligned with those of the Center for Internet Security (CIS), Control Objectives for Information Technologies (COBIT), and National Institute of Standards Technology (NIST). We are integrating our information security programs and cybersecurity risk management processes into our overall enterprise risk management ( ERM ) strategy. We are developing an entity-wide information technology ERM framework and will take steps to monitor, report on and communicate to stakeholders consistent with our ERM strategy. Recognizing the cybersecurity risk landscape is complex and ever evolving, we engage with a broad group of external experts and consultants, and auditors in evaluating and testing our information security programs. We leverage this specialized expertise to manage threat detection and response management, conduct regular audits and consult on our overall information security programs. We are acutely aware of risks associated with third-party service providers and we incorporate cybersecurity into our third-party vendor management policy. We conduct thorough security assessment to determine the category of risk third parties pose to Rocky Brands, with a priority focus on vendors with products or services that will have access to private and sensitive information. Vendor assessments incorporate inputs, including for example, BitSight and Service Organization Control Type 2 ( SOC2 ) information available for our third-party vendors. Our assessments and monitoring are designed to mitigate risks related to data breaches or other security incidents originating from third parties. Although no cybersecurity incidents during the year ended December 31, 2023 had a material impact on our business strategy, results of operations or financial condition, the scope and impact of any future incident cannot be predicted. See Item 1A Risk Factors for more information about our information security and cybersecurity risks. Governance Our Board of Directors has established governance protocol over risk management, including general oversight of information technology security and cybersecurity risk. The Audit Committee is central to the Board s oversight of cybersecurity risks and is primarily responsible for this domain. The Audit Committee actively participates in discussions with management, external experts, and amongst themselves regarding cybersecurity risks. The Audit Committee is comprised of Board members with broad expertise, including technology, risk management and finance, enabling them to effectively oversee and govern cybersecurity risks. One Audit Committee member is certified under the National Association of Corporate Directors Certificate in Cyber-Risk Oversight Program. We have developed a robust organizational structure to manage and oversee our information technology and cybersecurity programs, including full-time information security associates dedicated to cybersecurity. These individuals possess relevant experience and expertise in cybersecurity and risk management. Our Senior Vice President of Information Technology leads our information security, data privacy and protection, and information technology compliance programs. Guided by management, our information technology teams maintain a detailed Cyber Incident Response Plan ( CIRP ) and hold frequent meetings to ensure the proper communication and execution of our security controls and procedures. The Senior Vice President of Information Technology regularly reports to and maintains ongoing dialog with our CEO, CFO and COO, and Board of Directors regarding our information security programs. This reporting includes updates on matters evaluated under our CIRP, the current threat landscape, cybersecurity initiatives, and the effectiveness of our cybersecurity programs. Our Senior Vice President of Information Technology has more than 20 years of cybersecurity experience, is an active Certified Information Systems Security Professional, and trained in assessing and managing cyber risks. 15 Table of Contents

Company Information