FIVE BELOW, INC 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

FIVE BELOW, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 14:39:30 EDT.

Filings

10-K filed on 2024-03-21

FIVE BELOW, INC filed an 10-K at 2024-03-21 14:39:30 EDT
Accession Number: 0001177609-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity risk is assessed at the enterprise level as part of our overall enterprise risk management program. We maintain a dedicated cybersecurity function and program that is led by the Chief Information Security Officer (“CISO”). The cybersecurity function performs an annual threat and risk assessment that drives our security strategy. The strategy is aligned to the ISO 27001/02 and NIST cybersecurity frameworks, which drive our security policies and procedures. These policies and procedures, along with enabling security technology and qualified security function employees, maintain activities to prevent, detect, and minimize the effects of cybersecurity incidents. Cybersecurity technology and practices are in place to enable the protection of consumer and employee personal data and confidential information. We maintain incident response plans and playbooks that allow for cybersecurity incident response, management and recovery in the event of an incident. These plans are tested on an annual basis. 32 We periodically engage qualified third parties to perform external assessments and audits of our overall security program, as well as to perform detailed security assessments of various components of our overall technology infrastructure. We also supplement our own internal expertise with qualified third parties to engage in varying security operational functions aiding in the identification and remediation of potential cybersecurity threats. We require employees and temporary staffing to complete annual training on information security, including cybersecurity, global data privacy requirements and compliance measures. We have implemented a third-party service provider risk assessment program to assess material cyber threats associated with using third party providers. This program is designed to assess risk prior to the onboarding of new providers as well as to review high risk and medium risk providers on an annual basis. As of the date of this Annual Report, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations and financial condition. We have integrated governance processes into our overall risk management framework to enable the Board of Directors to oversee cybersecurity risk. The Audit Committee oversees management s policies and procedures related to cybersecurity risk management and periodically reports to the Board of Directors. The Chairman of the Audit Committee acts as the lead with respect to direct oversight of management. Our Board of Directors considers cybersecurity risks through interaction with our management team and the Audit Committee, as well as through quarterly updates with our CISO. Management informs the Audit Committee of material aspects of our cybersecurity program on a quarterly basis. This includes informing the committee on key strategic and operational goals, risk mitigation efforts, performance metrics, and descriptions and notification of emerging or existing risks as well as incidents impacting us. Management assesses and considers cybersecurity risks through its enterprise risk management program, consultation with external advisors, as well as through discussions with our CIO and CISO. We have an experienced and dedicated CISO, who has served in various roles in information technology, technology audit and security over the past 38 years, including serving as a senior partner in charge of various information security and business resiliency practices at one of the Big 4 Accounting consultancies, advising some of the largest public company leadership teams and boards of directors on cyber related issues and projects. The CISO also served as the CISO for one of the Big 4, as well as a retail ecommerce business virtual CISO. The CISO holds an undergraduate degree in Management Information Systems and has attained the professional certification of Certified Information Systems Auditor. Management is informed of cybersecurity risks and activities as part of the quarterly business review of the Information Technology function.

Company Information