SHOE CARNIVAL INC 10-K Cybersecurity GRC - 2024-03-22

Page last updated on April 11, 2024

SHOE CARNIVAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 16:05:44 EDT.

Filings

10-K filed on 2024-03-22

SHOE CARNIVAL INC filed an 10-K at 2024-03-22 16:05:44 EDT
Accession Number: 0000950170-24-035337

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBE RSECURITY Risk Management and Strategy Daily, we are threatened by system intrusions, social engineering attempts and web application attacks. These threats and attempts are directed at payment data, employee credentials, system passwords and personal information. We have developed and implemented a risk-based framework to address them. We consider cybersecurity a top risk within our enterprise risk management protocol, which is subject to oversight by our Board of Directors. Our risk-based processes, as designed, seek to maintain physical, administrative and technical controls that protect the confidentiality, integrity and availability of our information systems and information stored on our network, including customer information, personal information, intellectual property and proprietary information. We use the National Institute of Standards and Technology Cybersecurity Framework (the “NIST CSF”) as a guideline for our cybersecurity framework. This does not imply that we meet any technical standards, specifications or requirements under the NIST CSF, only that we use the NIST CSF as a framework to help us identify, assess and manage cybersecurity risks related to our business. Our policies for overall general information technology controls are also influenced by the Control Objectives for Information and Related Technologies, which align with the NIST CST. Our key cybersecurity processes are organized into four primary categories: Outage and access: these processes address system intrusion and credential and password threats and risks Payment and loyalty rewards: these processes protect the information of our customers and Personal data: these processes protect the payroll and healthcare data of our current and former employees and vendor information. Vendor partner security: these processes review the infrastructure and security processes of vendor partners that process transactions, provide cloud-based solutions and provide the backbone for our data flow. Key elements of our cybersecurity processes include, but are not limited to, the following: Firewalls, data encryption and tokenization, multifactor authentication and data backup, among other safeguarding tactics Routine tests of our back up processes, the physical security of our data storage and access to systems via penetration testing A security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents Training and testing of the diligence and awareness of our employees regarding social engineering email and other cybersecurity schemes and risks Engaging third-party cybersecurity companies periodically to assess our cybersecurity posture and assist with identifying and remediating cybersecurity risks and Contractual commitments from vendor partners and a review of controls at vendor partners via System and Organization Controls reports. 25 Governance Our Board of Directors oversees and guides our business and oversees our exposure to major risks. As stated in its charter, our Board of Directors has delegated to the Audit Committee the responsibility for Board-level oversight of cybersecurity risk. As part of its oversight role, the Audit Committee receives reports about our protocols, material threats or incidents and other developments related to cybersecurity. When these discussions occur, Board members with cybersecurity acumen that are not on the Audit Committee are present and active in those discussions. These cybersecurity reports are provided to our Audit Committee at least annually, and these reports are delivered by our Senior Vice President and Chief Information Officer ( CIO ). Our CIO has over 30 years of experience with our information systems and is versed in cybersecurity frameworks and best practices. A security committee assists the CIO with developing controls, selecting vendor partners, identifying emerging threats and implementing best practices within our risk-based framework. Our security team is comprised of professionals with cybersecurity certifications and specialized training. The CIO addresses how we allocate capital resources to our cybersecurity processes with our executive leadership team, which includes our Chief Executive Officer, Chief Operating Officer, Chief Merchandising Officer and Chief Financial Officer. The CIO reports directly to our Chief Operating Officer. Process to Access, Identify and Manage Material Risks from Cybersecurity Threats When a cybersecurity incident occurs or we identify a vulnerability, our CIO and our security committee, which is described in more detail under “Governance” above, are responsible for leading the initial risk assessment, and external experts may also be engaged and our Audit Committee or full Board may also be consulted. If a breach of our control structure were to occur, our executive leadership team, Audit Committee and counsel would be briefed by the CIO and a determination would be made on whether such issue is material to warrant disclosure. As of February 3, 2024, we have not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, cash flow or financial condition. Even with our current control processes and a continuous improvement mindset, cybersecurity threats constantly evolve. If the measures we have employed were to fail, or if a breach were to occur, it could result in impairment or loss of critical functions, such as the operation of our e-commerce websites, our Evansville distribution center, our corporate network and/or our point-of-sale systems, as examples. Additionally, confidential information could be compromised or we could be defrauded or ransomed for a material amount of funds. Any of these outcomes could negatively affect our reputation and customer loyalty. The ultimate effects of a breach or loss in function or confidential information are difficult to quantify with any certainty, but such loss may be partially limited through insurance. See “Risk Factors We could be adversely affected if our inventory technology systems fail to operate effectively, are disrupted or are compromised”, " Various risks associated with our e-commerce platform may adversely affect our business and results of operations" and " We outsource certain business processes to third-party vendors and have certain business relationships that subject us to risks, including disruptions to our business and increased costs" in PART I, ITEM 1A of this Annual Report on Form 10-K, which risk factors are incorporated by reference into this section of this Annual Report on Form 10-K. 26

Company Information