DULUTH HOLDINGS INC. 10-K Cybersecurity GRC - 2024-03-22

Page last updated on April 11, 2024

DULUTH HOLDINGS INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 16:42:05 EDT.

Filings

10-K filed on 2024-03-22

DULUTH HOLDINGS INC. filed an 10-K at 2024-03-22 16:42:05 EDT
Accession Number: 0001649744-24-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. C YBERSECURITY We believe cybersecurity is critical to advancing our Big Dam Blueprint vision and recognize the importance of assessing, identifying and managing material risks associated with cybersecurity threats defined in Item 106(a) of Regulation S-K. These risks include, among others described in our risk factor disclosures in Item 1A of this Annual Report on Form 10-K: operational risks, fraud, harm to employees or customers and violation of data privacy or security laws. These cybersecurity risks make it necessary that we expend extensive assets on cybersecurity. Cybersecurity Governance Our audit committee of our board of the directors is formally charged with oversight of cybersecurity risk. This includes r eviewing the Company s cybersecurity and other information technology risks, controls and procedures, including high-level review of the threat landscape facing the Company and the Company s strategy to mitigate cybersecurity risks and potential breaches, and the Company s plan to respond to data breaches. Identifying and assessing our cybersecurity risk is integrated into our overall risk management systems and processes. As part of our program, o ur internal audit team facilitates an annual risk assessment that includes assessing cybersecurity and other technology risks. The results are shared with the board of directors during a regular board meeting. In addition, a quarterly cyber risk assessment process run by our information technology team, including our chief technology officer, is shared with the audit committee. The chair of the audit committee reports on significant cybersecurity updates to the full board of directors during executive sessions of our quarterly meetings. Our audit committee members also engage in conversations throughout the year with management on cybersecurity events and discuss any updates to our cybersecurity processes, systems and programs. Our cybersecurity risk management processes are overseen by leaders from our information technology, compliance and legal teams. Our chief technology officer has over 30 years of experience leading information technology organizations. Other individual leaders within these teams have on average over 20 years of experience in roles involving information technology, including security and compliance. Cybersecurity Risk Management and Strategy We have implemented several measures to identify and assess our cybersecurity threats. We self-assess maturity levels along with areas of risk for the cyber kill chain using the ISO/IEC 33004:2015 Process Maturity Model. Within this model, our risk dashboard is continually assessed based on eight key initiatives: reconnaissance, intrusion, exploitation, privilege escalation, lateral movement, obfuscation/anti-forensics, denial of service and exfiltration. Along with this model, we engage and utilize various third parties to measure risk profiles of ourselves and vendors, security threats specific to our Company both internal and external through multiple avenues such as website and social media and perform periodic penetration tests to identify cybersecurity risks and threats to the Company. These evaluations include testing both the design and operational effectiveness of security controls. We recognize a cybersecurity incident experienced by a supplier or vendor could materially impact us. We assess third party cybersecurity controls as part of our third-party information technology risk when integrating new tools or third parties. We contractually require third parties to report cybersecurity incidents to us so we can assess the impact of the incident and any necessary regulatory reporting obligations that may be required. Additionally, as part of the contract management process, new information technology vendors are subject to a cybersecurity review by the information technology team and include cybersecurity and data privacy language, if applicable, in contracts. Training of employees, utilization of incident response plans, payment card industry audits, and SOX testing are all processes by which we seek to prevent, detect, mitigate and remediate cybersecurity incidents. In the event of a security or data incident, the impact is evaluated, ranked by severity, and prioritized for remediation. Incidents deemed to have a moderate or higher business impact, even if immaterial to the Company, are reported to the audit committee. Notwithstanding our risk management efforts related to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material or other adverse effect on us. See Item 1A. Risk Factors for a discussion of our information technology and cybersecurity risks. In fiscal 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. 23 Table of Contents

Company Information