TANDY LEATHER FACTORY INC 10-K Cybersecurity GRC - 2024-03-22

Page last updated on April 11, 2024

TANDY LEATHER FACTORY INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 16:21:30 EDT.

Filings

10-K filed on 2024-03-22

TANDY LEATHER FACTORY INC filed an 10-K at 2024-03-22 16:21:30 EDT
Accession Number: 0001140361-24-014799

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C below. However, we cannot guarantee that these preventative measures and incident response efforts will be entirely effective. If we fail to effectively assess and identify cybersecurity risks associated with the use of technology in our business operations, we may become increasingly vulnerable to such risks. The theft, destruction, loss, misappropriation, or release of sensitive and/or confidential information or intellectual property, or interference with our information technology systems or the technology systems of third parties on which we rely, could result in business disruption, negative publicity, brand damage, violation of privacy laws, loss of customers, potential liability and competitive disadvantage. Unreliable or inefficient information technology or the failure to successfully implement or invest in technology initiatives in the future could adversely impact operating results. We rely heavily on information technology systems in the conduct of our business, some of which are managed, and/or hosted by third parties, including, for example, point-of-sale processing in our stores, management of our supply chain, and various other processes and procedures. These systems are subject to damage, interruption or failure due to theft, fire, power outages, telecommunications failure, computer viruses, security breaches, malicious cyber-attacks or other catastrophic events. Certain technology systems may also be unreliable or inefficient, and technology vendors may limit or terminate product support and maintenance, which could impact the reliability of critical systems operations. If our information technology systems are damaged or fail to function properly, we may incur substantial costs to repair or replace them and may experience loss of critical data and interruptions or delays in our ability to manage inventories or process transactions, which could result in lost sales, customer or employee dissatisfaction, or negative publicity that could negatively impact our reputation, results of operations and financial condition. Moreover, our failure to adequately invest in new technology or adapt to technological developments and industry trends, particularly with respect to digital commerce capabilities, could result in a loss of customers and related market share. If our digital commerce platforms do not meet customers expectations in terms of security, speed, attractiveness or ease of use, customers may be less inclined to return to such digital commerce platforms, which could negatively impact our business. 12 Table of Contents Risks Related to the Macroeconomic Environment Our business may be negatively impacted by general economic conditions in the United States and abroad. Our performance is subject to global economic conditions and their impact on levels of consumer spending that affect not only the ultimate consumer, but also small businesses and other retailers. Specialty retail, and retail in general, is heavily influenced by general economic cycles. Specifically, at the time of filing this Form 10-K, the American and world economies have been acutely affected by a combination of factors resulting from both the COVID-19 pandemic and the war resulting from the invasion of Ukraine by Russian military forces. The current impacts of these events include (but are not limited to) levels of inflation that are the highest in the U.S. in more than 40 years, fuel prices at or near record highs, an extremely tight labor market with rising wages and competition to attract qualified workers, rising real estate prices and increases in interest rates. Purchases of non-essential, discretionary products tend to decline in periods (such as the current one) of recession or uncertainty regarding future economic prospects, as disposable income declines. During these periods of economic uncertainty, we may not be able to maintain or increase our sales to existing customers, make sales to new customers, open and operate new stores, maintain sales levels at our existing stores, maintain or increase our international operations on a profitable basis, maintain our earnings from operations as a percentage of net sales, or generate sufficient cash flows to fund our operational and liquidity needs. As a result, our operating results may be adversely and materially affected by continued downward trends or uncertainty in the United States or global economies. Foreign currency fluctuations could adversely impact our financial condition and results of operations. We generally purchase our products in U.S. dollars. However, we source a large portion of our products from countries other than the United States. The cost of these products may be affected by changes in the value of the applicable currencies. Changes in currency exchange rates may also affect the U.S. dollar value of the foreign currency denominated sales that occur in other countries (currently Canada and the European Union). This revenue, when translated into U.S. dollars for consolidated reporting purposes, could be materially affected by fluctuations in the U.S. dollar, negatively impacting our results of operations and our ability to generate revenue growth. We face risks related to the effect of economic uncertainty. During events of economic downturn and slow recovery, our growth prospects, results of operations, cash flows and financial condition could be adversely impacted. Our stores offer leather and leathercraft-related items, which are viewed as discretionary items. Pressure on discretionary income brought on by economic downturns and slow recoveries, including housing market declines, rising energy prices and weak labor markets, may cause consumers to reduce the amount they spend on discretionary items. The inherent uncertainty related to predicting economic conditions makes it difficult for us to accurately forecast future demand trends, which could cause us to purchase excess inventories, resulting in increases in our inventory carrying cost, or limit our ability to satisfy customer demand and potentially lose market share. While the impact of the COVID-19 pandemic has mostly receded, there are residual effects such as higher consumer prices and interest rates. Furthermore, another serious outbreak of coronavirus or other deadly disease could also have a material adverse effect on our business and liquidity. The COVID-19 pandemic had an unprecedented and lasting impact on the U.S. economy, some of which continues to today. The possibility of another outbreak of a coronavirus variant or other deadly disease that would have material adverse effect on the economy, our supply chain partners, our employees and our customers is now all too real. While we are better prepared to handle a future pandemic, it could impact our ability to keep our stores open, to obtain merchandise or payment terms from our vendors, to transport merchandise to and from our warehouse, to operate our warehouse, factory and other facilities that require on-site activities, and thus materially adversely affect our revenues, earnings, liquidity and cash flows. 13 Table of Contents Risks Related to Legal, Regulatory and Compliance If the United States maintains current tariffs on products manufactured in China, or if additional tariffs or trade restrictions are implemented by other countries or by the U.S., the cost of our products manufactured in China or other countries and imported into the U.S. or other countries could increase. This could in turn adversely affect the profitability for these products and have an adverse effect on our business, financial condition and results of operations. In addition, the violation of labor, environmental or other laws by an independent manufacturer or supplier, or divergence of an independent manufacturer s or supplier s labor practices from those generally accepted as ethical or appropriate in the U.S., could interrupt or otherwise disrupt the shipment of our products, harm our trademarks or damage our reputation. The occurrence of any of these events could materially adversely affect our business, financial condition and results of operations. Our success depends on the continued protection of our trademarks and other proprietary intellectual property rights. Our trademarks and other intellectual property rights are important to our success and competitive position, and the loss of or inability to enforce our trademark and other proprietary intellectual property rights could harm our business. We devote substantial resources to the establishment and protection of our trademark and other proprietary intellectual property rights on a worldwide basis. Despite any precautions we may take to protect our intellectual property, policing unauthorized use of our intellectual property is difficult, expensive, and time consuming, and we may be unable to adequately protect our intellectual property or determine the extent of any unauthorized use. Our efforts to establish and protect our trademark and other proprietary intellectual property rights may not be adequate to prevent imitation or counterfeiting of our products by others, which may not only erode sales of our products but may also cause significant damage to our brand name. Further, we could incur substantial costs in legal actions relating to our use of intellectual property or the use of our intellectual property by others. Even if we are successful in these actions, the costs we incur could have a material adverse effect on us. ITEM 1B. UNRESOLVED STAFF COMMENTS Not applicable. ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard its information systems and protect the confidentiality, integrity, and availability of its data. The Company s information security program is managed by its Vice President, Operations and Technology, whose team is responsible for leading Company-wide cybersecurity strategy, policy, standards, architecture, and processes. We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF and AI Risk Management Framework). This does not mean that we meet any particular technical standards, specifications, or requirements, but only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Information about cybersecurity risks and our risk management processes is collected, analyzed and considered as part of our overall enterprise risk management program. 14 Table of Contents Key components of our cybersecurity risk management program The Company s cybersecurity program includes: Advanced security infrastructure with state-of-the-art firewalls and intrusion detection systems. Regular cybersecurity training for employees. Strict data access controls and authentication protocols. Continuous monitoring of our networks and systems for signs of unauthorized activity. Partnerships with leading cybersecurity software and hardware providers for real-time systems monitoring and threat intelligence. In the event of a cybersecurity incident, the Company s response plan includes: Immediate containment and assessment of the incident. Notification to relevant stakeholders, including officers, board members, investors and customers where appropriate, in compliance with legal and regulatory requirements. Cooperation with law enforcement and regulatory bodies as needed. Post-incident analysis and measures to prevent future occurrences. At this time, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Risk Factors . Cybersecurity Governance The Company s Board of Directors oversees management s cybersecurity strategy. Management provides a full briefing on various cybersecurity risk matters including risk assessments, mitigation strategies, areas of emerging risk and other areas of importance at least annually. In the event of a cybersecurity incident determined to be significant, management will notify the Board. The Company remains vigilant in its efforts to protect its systems, data, and stakeholders from cybersecurity threats and believes that its proactive and comprehensive approach positions it well to manage these risks effectively.
ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard its information systems and protect the confidentiality, integrity, and availability of its data. The Company s information security program is managed by its Vice President, Operations and Technology, whose team is responsible for leading Company-wide cybersecurity strategy, policy, standards, architecture, and processes. We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF and AI Risk Management Framework). This does not mean that we meet any particular technical standards, specifications, or requirements, but only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Information about cybersecurity risks and our risk management processes is collected, analyzed and considered as part of our overall enterprise risk management program. 14 Table of Contents Key components of our cybersecurity risk management program The Company s cybersecurity program includes: Advanced security infrastructure with state-of-the-art firewalls and intrusion detection systems. Regular cybersecurity training for employees. Strict data access controls and authentication protocols. Continuous monitoring of our networks and systems for signs of unauthorized activity. Partnerships with leading cybersecurity software and hardware providers for real-time systems monitoring and threat intelligence. In the event of a cybersecurity incident, the Company s response plan includes: Immediate containment and assessment of the incident. Notification to relevant stakeholders, including officers, board members, investors and customers where appropriate, in compliance with legal and regulatory requirements. Cooperation with law enforcement and regulatory bodies as needed. Post-incident analysis and measures to prevent future occurrences. At this time, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Risk Factors . Cybersecurity Governance The Company s Board of Directors oversees management s cybersecurity strategy. Management provides a full briefing on various cybersecurity risk matters including risk assessments, mitigation strategies, areas of emerging risk and other areas of importance at least annually. In the event of a cybersecurity incident determined to be significant, management will notify the Board. The Company remains vigilant in its efforts to protect its systems, data, and stakeholders from cybersecurity threats and believes that its proactive and comprehensive approach positions it well to manage these risks effectively.

Company Information