Designer Brands Inc. 10-K Cybersecurity GRC - 2024-03-25

Page last updated on April 11, 2024

Designer Brands Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-25 16:03:44 EDT.

Filings

10-K filed on 2024-03-25

Designer Brands Inc. filed an 10-K at 2024-03-25 16:03:44 EDT
Accession Number: 0001319947-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity , we utilize a risk-based approach and exercise judgment to determine the security controls to implement, and it is possible that we may not implement appropriate controls if we do not recognize or if we underestimate a particular risk. In addition, security controls, no matter how well-designed or implemented, may only mitigate and not fully eliminate risks. Cybersecurity events, when detected by security tools or third parties, may not always be immediately understood or acted upon. Our failure to protect the value of our banners, Owned Brands, or our reputation could have a material adverse effect on our brands. Our success is largely dependent on our ability to provide our customers with a merchandise assortment that they want and our ability to provide a consistent, high-quality customer experience. We believe that maintaining and enhancing the reputation and recognition of our banners and our Owned Brands are critical to our ability to expand and retain our customer base. Any negative publicity about us or the significant brands we offer may reduce demand for our merchandise. Failure to comply with ethical, social, product, labor, health and safety, accounting, or environmental standards could also jeopardize our reputation and potentially lead to various adverse consumer actions. In addition, negative claims or publicity, including on social media, regarding celebrities with whom we have license and endorsement arrangements could adversely affect our reputation and sales, regardless of whether such claims are accurate. Consumer actions could include boycotts and negative publicity through social or digital media. Negative public perception about us or the products we carry, whether justified or not, could impair our reputation, subject us to litigation, damage our brands, or have a material adverse effect on our business. 13 Table of contents We hold exclusive licensing rights that allow us to design, source, and sell footwear for certain of our key Owned Brands, including Vince Camuto, Jessica Simpson, Lucky Brand, Hush Puppies, and Le Tigre. We rely on our ability to retain and maintain good relationships with the licensors and their ability to maintain strong, well-recognized brands and trademarks. The terms of our license agreements vary and are subject to renewal with various termination provisions, and we may not be able to renew these licenses. Even our longer-term or renewable licenses are typically dependent upon our ability to market and sell the licensed products at specified levels, and our failure to meet such levels may result in the termination or non-renewal of such licenses. Furthermore, many of our license agreements require minimum royalty payments, and if we are unable to generate sufficient sales and profitability to cover these minimum royalty requirements, we may be required to make additional payments to the licensors, which could have a material adverse effect on our business and results of operations. The value of the brands we sell may also depend on the success of our corporate social responsibility (“CSR”) and sustainability initiatives, which require Company-wide coordination and alignment. Risks associated with these initiatives include any increased public focus, including by governmental and nongovernmental organizations, new laws and regulations, increased costs associated with sustainability efforts and/or compliance with laws and regulations, as well as increased pressure to expand our CSR and sustainability disclosures in these areas, make commitments, set targets, or establish additional goals and take actions to achieve such targets and goals. All of the foregoing could expose us to market, operational, and execution costs or risks. Any CSR or sustainability metrics that we currently or may in the future disclose, whether based on the standards we set for ourselves or those set by others, or our failure to achieve any CSR or sustainability metrics that we currently or may in the future disclose, may influence our reputation and the value of the brands that we offer. There is also increased focus, including by investors, customers, and other stakeholders, on CSR and other sustainability matters, including the use of plastic, energy, waste, and worker safety. Our reputation could be damaged if we do not, or are perceived to not, act responsibly with respect to sustainability matters, which could also have a material adverse effect on our business, results of operations, financial position, and cash flows. We are dependent on our customer loyalty programs and marketing to drive traffic, sales, and loyalty, and any decrease in membership or purchases from members could have a material adverse effect on our business. Customer traffic is influenced by our marketing methods and our loyalty programs. We rely on our loyalty programs to drive customer traffic, sales, and purchase frequency. Loyalty members earn points toward discounts on future purchases through our VIP rewards programs in the U.S. and Canada. We employ a variety of marketing methods, including email, direct mail, and social media, to communicate product offerings and various promotions and discounts to all of our customers, as well as exclusive offers to our rewards members. As of February 3, 2024, we had 32.1 million members enrolled in our loyalty programs who have made at least one purchase over the last two years. In 2023, shoppers in the loyalty programs generated approximately 90% of the combined U.S. Retail and Canada Retail segments’ net sales. If our rewards members decrease their purchase frequency or do not continue to shop with us, we fail to add new members, the number of members decreases, or our marketing is not effective in driving customer traffic, such event could have a material adverse effect on our business. Our failure to retain our existing senior management team or continue to attract qualified new personnel could have a material adverse effect on our business. The success of our business is dependent on the continuation of an experienced and talented management team. If we were to lose the benefit of the experience, efforts, and abilities of any of our key executives or members of senior management, our business could be adversely affected. We have entered into employment agreements with certain of our key executives and also offer compensation packages designed to attract and retain talent. In addition, our ability to manage our business will require us to continue to train, motivate, and develop our associates to maintain a high level of talent for future challenges and succession planning. Competition for these types of personnel is intense, and we may not be successful in attracting and retaining the personnel required to grow and operate our business. Our ABL Revolver and Term Loan contain restrictions that could limit our ability to fund operations, which could adversely affect our business. Funds drawn under our ABL Revolver may be used for working capital purposes, capital expenditures, share repurchases, other expenditures, and permitted acquisitions, as defined in the ABL Revolver. The amount of credit available under the ABL Revolver is limited to a borrowing base formulated on, among other things, a percentage of the book value of eligible inventory and credit card receivables, as reduced by certain reserves. Consequently, it is possible that, should we need to access any additional funds from our ABL Revolver, such funds may not be available in full. The ABL Revolver requires us to maintain a fixed charge coverage ratio of not less than 1:1 when availability is less than the greater of $47.3 million or 10.0% of the maximum borrowing amount. 14 Table of contents Our ABL Revolver and Term Loan also contain customary covenants restricting our activities, including limitations on our ability to sell assets, engage in acquisitions, enter into transactions involving related parties, incur additional debt, grant liens on assets, pay dividends, repurchase stock, and make certain other changes. There are specific exceptions to these covenants, including, in some cases, upon satisfying specified payment conditions based on availability. The ABL Revolver and Term Loan contain customary events of default, including failure to comply with certain financial and other covenants. Upon an event of default that is not cured or waived within the applicable cure period, in addition to other remedies that may be available to the lenders, our obligations may be accelerated, outstanding letters of credit may be required to be cash collateralized, and remedies may be exercised against the collateral. RISKS RELATING TO EXTERNAL FACTORS Our international operations and reliance on foreign-sourced merchandise exposes us to risks associated with international matters. We have key international operations in various locations, including Canada, China, and Brazil, and we face risks inherent in sourcing our merchandise from third-party manufacturers and national brand vendors with foreign operations. Our operations may be adversely affected by international political, economic, and social instability local laws and customs legal and regulatory constraints, including compliance with applicable anti-bribery, anti-corruption, labor, trade, and foreign tax laws local business practices, including compliance with foreign laws and with domestic and international labor standards and currency laws and regulations. Risks may also include, among others, public health threats, which has in the past materially adversely impacted our business inclement weather and natural disasters international hostilities, acts of war, including the ongoing war in Ukraine and the Israel-Hamas war, the recent militant attacks on cargo vessels in the Red Sea, which ultimately could adversely impact supplier deliveries or freight costs, or terrorism increases in shipping costs transportation delays and interruptions, including increased inspections of import shipments by domestic authorities or the occurrence of international trade disruptions work stoppages expropriation or nationalization changes in foreign government administration and governmental policies changes in import duties or quotas cost and difficulties associated with managing operations outside of the U.S. possible adverse tax consequences from changes in tax laws or the unfavorable resolution of tax assessments or audits and greater difficulty in enforcing intellectual property rights. Additionally, fluctuations in foreign currency exchange rates may negatively impact our financial results. With a substantial portion of our merchandise being imported from foreign countries, any of these events could result in our failure to obtain merchandise in a timely manner, which ultimately could have a material adverse effect on our business, financial condition, or results of operations. We require our business partners to operate in compliance with applicable laws and regulations and our internal requirements. However, we do not control such third parties or their labor and business practices. The violation of labor or other laws by any one of our vendors could have a material adverse effect on our business. We are subject to stringent and changing privacy laws, regulations, and standards, as well as policies, contracts, and other obligations related to data privacy and security. Our failure to comply with privacy laws and regulations, as well as other legal obligations, could have a material adverse effect on our business. State, federal, and foreign governments have enacted and are continuing to enact laws and regulations governing the collection, use, retention, sharing, transfer, and security of personally identifiable information and data. Our business is subject to a variety of federal, state, local, and foreign laws and regulations, orders, rules, codes, regulatory guidance, and certain industry standards regarding privacy, data protection, consumer protection, information security, and the processing of personal information and other data. For example, the California Consumer Privacy Act of 2018 (“CCPA”) imposes certain restrictions and disclosure obligations on businesses that collect personal information about California residents and provides for a private right of action, as well as penalties for noncompliance. The CCPA provides for civil penalties for violations and creates a private right of action for certain data breaches that is expected to increase data breach litigation. In addition, the California Privacy Rights Act (“CPRA”) took effect in January 2023 (with a look-back for certain requirements to January 2022), which amends and expands the CCPA and places additional restrictions on the “sharing” of personal information for purposes of cross-context behavioral advertising. We are subject to additional state privacy regulations, including the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act, which regulate the processing of “personal data” regarding their respective residents and which grant residents certain rights with respect to their personal data. State laws are changing rapidly, and new legislation proposed or enacted in a number of other states imposes, or has the potential to impose, additional obligations on companies that process confidential, sensitive and personal information, and will continue to shape the data privacy environment nationally. The U.S. federal government is also significantly focused on privacy matters. 15 Table of contents We are subject to other consumer protection laws and the regulatory environment is increasingly demanding with frequent new and changing requirements concerning cybersecurity, information security, and privacy, which may be inconsistent from one jurisdiction to another. Any failure by us or any of our business partners to comply with applicable laws, rules, and regulations may result in investigations or actions against us by governmental entities, private claims and litigation, fines, penalties, or other liabilities. Such events may increase our expenses, expose us to liabilities, and harm our reputation, which could have a material adverse effect on our business. While we aim to comply with applicable data protection laws and obligations in all material respects, we could be subject to claims that we have violated such laws and obligations, we may not be able to successfully defend against such claims, and we could be subject to significant fines and penalties in the event of non-compliance. Additionally, to the extent multiple state-level laws are introduced with inconsistent or conflicting standards and there is no federal law to preempt such laws, compliance with such laws could be difficult and costly to achieve, or impossible to achieve, and we could be subject to fines and penalties in the event of non-compliance. Extreme or unseasonable weather conditions in locations where we and our vendors operate could have a material adverse effect on our business. Locations where we operate and that we consider to be material to our business, as set forth in
ITEM 1C. CYBERSECURITY RISK MANAGEMENT AND STRATEGY We have developed an information security program that is designed to address material risks from cybersecurity threats. Our information security program is integrated into our overall enterprise risk management process, which the Board ultimately oversees. The Board has delegated its responsibility for cybersecurity risk oversight to the Technology Committee of the Board, which is responsible for (i) regularly reviewing with management significant cybersecurity, privacy, and IT risks or exposures, and our policies and processes with respect to risk assessment and risk management of the same (ii) regularly reviewing with management an assessment of the steps management has taken to monitor and control such risks and (iii) regularly reporting to the full Board on such matters. As described in further detail below, our information security program is led by our Director of IT Security & Compliance (“DITSC”), who is responsible for our overall information security strategy, policy, security engineering, operations, and cyber threat detection and response. The program includes policies and procedures that guide our implementation and maintenance of security measures and controls. Risk-based analysis and judgment of the DITSC and our management team, along with feedback from internal and third-party audits and assessments, are used to select security controls to address risks. The following factors, among others, are considered when identifying security controls: likelihood and severity of a risk, impact on the Company and others if a risk materializes, feasibility of controls, and impact of controls on operations and others. Third parties also play a role in our cybersecurity, as we engage security firms in different capacities to provide or operate some of these controls and technology systems, including cloud-based platforms and services. For example, third parties are used to conduct assessments, such as vulnerability scans and penetration testing. We use a variety of processes to address and oversee cybersecurity threats related to the use of third-party technology and services, including a vendor risk management program. We have a written incident response plan and conduct tabletop exercises to enhance incident response preparedness. We have other response protocols to address operating impacts due to disruptions in services and technology, including scenario run books and mitigation plans for key vendors. Employees undergo security awareness training when hired and annually. 18 Table of contents GOVERNANCE The DITSC is the Company’s management position with primary responsibility for the development, operation, and maintenance of our information security program. The DITSC has over 20 years of experience in cybersecurity, including over 15 years of experience in the Cyber Defense and Electronic Warfare section of the U.S. Army. The DITSC has obtained multiple subject matter certifications, including the Global Information Assurance Certification. The DITSC briefs the Technology Committee of the Board regularly and oversees regular cybersecurity training and education opportunities for the Board, which covers topics ranging from the current threat landscape to our cybersecurity program metrics, risks, and roadmap. Management receives regular updates on cybersecurity risks from the DITSC. In the event of a security incident, the DITSC will follow the escalation process in our incident response plan to notify the Company’s Crisis Committee, which is composed of a cross-functional group of Company leaders. The Crisis Committee will work with the DITSC to respond to and remediate any actual cybersecurity incidents. Depending on the severity of the security incident, the DITSC and the Crisis Committee are to escalate the security incident to the Chief Legal Officer and the Principal Accounting Officer, who will assess materiality in consultation with outside counsel. The Chief Legal Officer will notify the Technology Committee and the Board of any potential material incident. Although the risks from cyber threats have not materially affected our business strategy, results of operations, or financial condition to date, we continue to closely monitor cyber risk. We may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. Risk factors for a discussion of cybersecurity risks.

Company Information