SIGNET JEWELERS LTD 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

SIGNET JEWELERS LTD reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 07:05:47 EDT.

Filings

10-K filed on 2024-03-21

SIGNET JEWELERS LTD filed an 10-K at 2024-03-21 07:05:47 EDT
Accession Number: 0000832988-24-000083

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk management and strategy Signet recognizes the importance cybersecurity has to the success of our business. We also recognize the need to continually assess cybersecurity risk and evolve our response in the face of a rapidly and ever-changing environment. Accordingly, we aim to protect our business operations, including customer records and information, against known and evolving cybersecurity threats. Signet manages cybersecurity risk using a cross-functional approach, which is overseen by the Company s Board. The Company s cyber risk management program is designed to anticipate, identify, assess, manage, mitigate, and respond to cybersecurity threats. This 32 Table of Contents program is integrated within the Company s enterprise risk management processes and addresses the store and corporate information technology environments, as well as third-party vendors, software, and applications upon which we rely. The underlying controls of the cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework ( CSF ). Signet conducts periodic assessments against the NIST CSF and reviews key cybersecurity risks, utilizing a third party to perform this assessment of the Company s cyber risk management program. The risk assessments, together with risk-based analysis and judgment, are used to determine security controls to address identified risks. Signet has strategically integrated cybersecurity risk management into the Company s policies and broader enterprise risk management framework to promote a company-wide culture of cybersecurity. Signet considers the following factors, among others, during the process of determining how to address risks and which controls to implement: likelihood and severity of the risk the impact on the Company, the Company s customers, employees, and shareholders and if a risk materializes, the feasibility and cost of controls and the impact of controls on operations. Signet has a cybersecurity operations program that monitors its global cybersecurity environment and coordinates the investigation and remediation of cybersecurity alerts. In the event of a cybersecurity incident, the Chief Information Security Officer ( CISO ) is equipped with an incident response plan that includes immediate actions designed to mitigate the impact and long-term strategies for remediation and prevention of future incidents. We frequently stage incident response drills to prepare support teams to respond to a significant incident. The Company s information security program includes the following specific controls that are used to some extent: endpoint threat detection and response identity and access management privileged access management logging and monitoring involving the use of security information and event management multi-factor authentication firewalls and intrusion detection and prevention and vulnerability and patch management, as well as policy and technical controls governing the use of AI. Signet partners with leading cybersecurity companies and organizations, leveraging third-party technology and expertise. Signet engages with these partners to provide or operate technical controls and technology systems, monitor, and maintain the performance and effectiveness of products and services deployed in Signet s environment, and conduct vulnerability scans and penetration testing. Signet also maintains a risk-based approach for assessing, identifying, and managing risks from cybersecurity threats associated with third-party service providers, third-party software, third-party applications and other companies with whom we do business (such as our outsourced credit card partners). Signet utilizes industry standard tools to assess the criticality of software, data assets, and operational technology. We conduct security assessments of high-risk third-party service providers before engagement to ensure compliance with our cybersecurity standards, including review of the service providers System and Organization Controls (SOC) report to assess their cybersecurity controls and risk assessment. This approach is designed to mitigate risks related to data breaches or other security incidents originating from or otherwise due to reliance on third parties. Signet faces risks from cybersecurity threats that could have a material adverse effect on its business, financial condition, results of operations, cash flows or reputation. Signet does not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our overall business strategy, results of operations, or financial condition. However, Signet (or third parties on which Signet relies) may not be able to implement security controls fully, continuously and effectively as designed or intended. As described above, the Company utilizes a risk-based approach and judgment to determine the security controls to implement, and it is possible that Signet may not implement appropriate controls if management does not recognize, or underestimates, a particular risk. In addition, security controls, no matter how well designed or implemented, may only partially mitigate, but not fully eliminate, risks. Security events, when detected by security tools or third parties, may not always be immediately understood or acted upon by the Company (or by third parties on which Signet relies). See the Risk Factors section in Item 1A of this Annual Report on Form 10-K for additional discussion of our cybersecurity risks. Governance Signet s cybersecurity program is run by our CISO, who is the head of the Company s cybersecurity team, and who reports to Signet s Chief Information Officer ( CIO ). The CISO is responsible for assessing and managing Signet s cybersecurity risk management program, regularly informing senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervising such efforts. Our CISO and CIO have extensive experience assessing and managing cybersecurity programs and cybersecurity risk. Our CISO has served in this position with Signet since 2018, was previously CISO at multiple Fortune 500 retail and hospitality organizations, and held senior cybersecurity management roles in the financial services industry. The Signet cybersecurity team supporting the CISO has experience selecting, deploying, and operating cybersecurity technologies, initiatives, and processes around the world, and relies on threat intelligence as well as other information obtained from governmental, public, or private sources, including external consultants engaged by Signet. In addition, a cross-functional management committee has been established to assess cybersecurity breaches, should they occur, to determine whether a breach is material and requires disclosure. The Governance and Technology Committee of the Board ( GTC ) oversees Signet s cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. Two of the members of our GTC are technology executives employed at their respective organizations who are highly technology-fluent and well-versed on cyber risks. The CISO and CIO regularly brief the GTC on the effectiveness of Signet s cyber risk management program and risk status. In addition, cybersecurity risks are reviewed by the Board, at least annually, as part of the Company s corporate risk-mapping exercise. In addition to scheduled meetings, the GTC, CISO and CIO maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on any significant developments in the cybersecurity domain, ensuring the Board s oversight is proactive and responsive. 33 Table of Contents

Company Information