DESTINATION XL GROUP, INC. 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

DESTINATION XL GROUP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 16:30:57 EDT.

Filings

10-K filed on 2024-03-21

DESTINATION XL GROUP, INC. filed an 10-K at 2024-03-21 16:30:57 EDT
Accession Number: 0000950170-24-034763

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We recognize the critical importance of maintaining the trust and confidence of our customers and employees. Consequently, we maintain a comprehensive security incident response plan ( SIRP ) and we assess, identify, and manage material risks associated with cybersecurity threats. Our SIRP includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. We have integrated cybersecurity risk management into our broader risk management framework through various mechanisms, including (i) our updates to the Cybersecurity and Data Privacy Committee (the Cyber Committee , created by our Board of Directors (the Board ) in 2016), which meets at least quarterly (ii) our annual enterprise risk management update to the Board, and (iii) our information technology and security related internal controls, including vulnerability management programs. The Company trains employees to understand their role in attempting to protect the Company from cybersecurity attacks. Our information security training program for employees includes acknowledgement of our information security policies, regular internal communications, and testing to measure the effectiveness of our information security program. For example, we conduct regular phishing awareness campaigns designed to emulate current threats and provide immediate feedback and, as necessary, additional training or remedial action. In addition, the Company engages third parties to assist in assessing, identifying, and remediating material risks from cybersecurity threats. Our key cybersecurity controls are regularly tested by third-party service providers, which we retain to help identify vulnerabilities in our systems and to help maintain compliance to standards and regulatory requirements. Other third-party service providers are enlisted by the Company for security operations center services to augment our teams monitoring capabilities and to assist with our investigation and response to alerts on emerging and ongoing threats. Further, our cybersecurity team continuously evaluates and addresses cybersecurity risks in alignment with our business objectives and operational needs. We use various security tools and processes to help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner, including, but not limited to, risk assessment network security controls, detection and response tools and a vulnerability management program. The complexity and evolving nature of cybersecurity threats requires that we engage with a range of external experts, including cybersecurity assessors and consultants, in evaluating and testing our risk management systems. This enables us to leverage specialized knowledge and insights, to be confident that our cybersecurity strategies and processes are consistent with industry best practices. Our collaboration with these third-parties includes regular threat assessments and consultation on security enhancements. In order to mitigate data or security incidents that may originate from third party vendors or suppliers, we conduct both privacy and security assessments to properly identify, prioritize, assess and remediate any third-party risks, and require security and privacy addenda to our contracts where applicable. The nature of our business exposes us to cybersecurity threats and attacks that can lead to the unauthorized acquisition or access, compromise, loss, misuse or theft of our data, including personal information, confidential information or intellectual property. To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including our business strategy, results of operations, or financial condition. Also see Part 1, Item 1A, Risk Factors , in this Annual Report on Form 10-K for a discussion of cybersecurity risks. Governance Our Board is ultimately responsible for the risk oversight of the Company, including cybersecurity and privacy risks. Our Board has delegated day-to-day responsibility for oversight of cybersecurity risks to the Cyber Committee. The Cyber Committee is composed of board members with diverse expertise including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively. Pursuant to its charter, our Cyber Committee: assists our Board in fulfilling its risk oversight responsibilities with respect to the protection of the Company s assets, including confidential, proprietary and personal information, reputation and goodwill in all forms supervises and monitors the soundness of our cybersecurity and data protection strategies and practices 20 oversees and monitors our material compliance with applicable information security, privacy and data protection laws, industry standards and contractual requirements promotes and furthers the integrity, adoption and coordination of our data security processes across the Company to help ensure that data and system security is a Company-wide business objective and priority and oversees our cybersecurity and data protection performance and the overall implementation of our cybersecurity and data protection strategy. At the management level, our Chief Technology Officer ( CTO ), SVP, Technology and Information as well as our cybersecurity personnel are primarily responsible for identifying, assessing, monitoring and managing our cybersecurity. Our CTO reports directly to our President and Chief Executive Officer and at least quarterly meets with the Cyber Committee. Our current CTO has over 35 years of industry experience, including serving as CIO/CTO for over 6 years and having extensive experience in developing and leading technology risk management programs. Additionally, our technology staff holds multiple industry standard security certifications, including Cisco Certified Network Associate (“CCNA”), PCI Internal Security Assessor (“PCI ISA”) and Certified Ethical Hacker (“CEH”). 21

Company Information