Victoria's Secret & Co. 10-K Cybersecurity GRC - 2024-03-22

Page last updated on April 11, 2024

Victoria’s Secret & Co. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 16:18:13 EDT.

Filings

10-K filed on 2024-03-22

Victoria’s Secret & Co. filed an 10-K at 2024-03-22 16:18:13 EDT
Accession Number: 0001856437-24-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. As a publicly traded company, we recognize the critical importance of effective cybersecurity risk management to safeguard our operations, protect sensitive information and ensure the trust of our customers and stakeholders. Risk Management & Strategy We maintain a robust cybersecurity risk management program designed to assess, identify and manage material risks from cybersecurity threats, which encompasses the following key components. 27 Table of Contents Risk Assessment We regularly conduct comprehensive cybersecurity risk assessments to identify vulnerabilities, threats and potential impacts on our business operations and stakeholders. We actively monitor and gather threat intelligence to stay informed about emerging cyber threats and vulnerabilities relevant to our industry and operations. We engage independent third-party assessors for periodic cybersecurity program assessments against industry accepted frameworks and to perform technical penetration assessments. We assess ourselves against the Center for Internet Security Top 18 controls framework, the National Institute of Standards and Technology Cybersecurity Framework, the Payment Card Industry Data Security Standard and management defined technology controls to support our internal controls over financial reporting. Incident Detection and Response We have established procedures for monitoring network activities, detecting anomalies and responding to cybersecurity incidents promptly. We engage a specialized managed services firm to provide continuous monitoring and an initial level of incident response. We work with a leading cyber forensics firm to provide incident response services as needed. Our incident response and escalation procedures are documented to classify incidents according to defined thresholds. Our core incident response and extended incident response teams are cross-functional and include leaders across technology, legal, finance, asset protection, customer care, human resources, stores operations and communications. Protocols to notify our executive leadership team and Board of Directors are in place based on the severity of the incident. Third-party Risk In addition to our own systems, we use third-party service providers to store, transmit and process information on our behalf. Third-party risk management is embedded in our cybersecurity risk management function. We leverage an independent cybersecurity assessment exchange service to gather information and provide real-time threat monitoring of our most critical third parties. We review relevant cybersecurity assessment reports and certifications from our third parties. Our standard contract terms also require third parties to maintain a standard level of security and controls. Governance Our cybersecurity risk management processes are integrated into our overall enterprise risk management system. Our Board of Directors (the Board ) understands the critical nature of managing risks associated with cybersecurity threats. The Board has established robust oversight mechanisms to provide effective oversight of risks associated with cybersecurity. Board of Directors Oversight The Audit Committee has been delegated the primary responsibility for the Board’s oversight of cybersecurity risks. Executive summaries of our internal risk assessments, program initiatives, regulatory compliance and incident summaries are shared with our Audit Committee on a semi-annual basis, with additional updates as needed. Our third-party assessment and audit results, which are performed on an annual basis, and associated remediation plans are also shared with our Audit Committee. Additionally, our Internal Audit function independently conducts periodic reviews of our cybersecurity controls and reports the results of those reviews to the Audit Committee. The Audit Committee reports to the Board on cybersecurity risk oversight at least annually. Management’s Role in Managing Cybersecurity Risk Our Chief Information Security Officer ( CISO ) has primary responsibility for assessing, monitoring, and managing our cybersecurity risks. Our CISO has over 25 years of security experience in executive leadership, operations, incident response, and consulting in various industries including retail, technology and healthcare, as well as support of Federal government agencies and intelligence. Our CISO reports to our Chief Information Officer ( CIO ), who is also responsible for overseeing cybersecurity risks and communicating with the Board and Audit Committee. We have a structured process to identify and oversee material cybersecurity risks. We maintain a robust set of cybersecurity policies that set the standards and expectations for our associates, contractors and vendors to follow. We report cybersecurity metrics quarterly to our technology leadership, including our CIO and CISO, and our Enterprise Risk Management team. We have an Executive Risk Council, comprised of executive leadership across the business, which is briefed quarterly on the latest cybersecurity threats impacting our business, and the progress of recent and ongoing cybersecurity program efforts, incidents and risk assessments. The Executive Risk Council provides input as needed to strengthen our cybersecurity controls and risk management. We do not believe that any risks we have identified from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. For additional information regarding cybersecurity risks we are subject to, refer to Item 1A. Risk Factors in this Annual Report on Form 10-K. 28 Table of Contents

Company Information