GameStop Corp. 10-K Cybersecurity GRC - 2024-03-26

Page last updated on April 11, 2024

GameStop Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-26 16:12:38 EDT.

Filings

10-K filed on 2024-03-26

GameStop Corp. filed an 10-K at 2024-03-26 16:12:38 EDT
Accession Number: 0001326380-24-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy An important part of our business involves the receipt, processing and storage of personal information of our customers and associates, including, in the case of our customers, payment information. Security of this information and our other proprietary data is imperative to ensure the trust of our customers, vendors, and employees. We assess, identify and 14 manage material risks related to potential cybersecurity attacks on or through our electronic information systems that could adversely affect the confidentiality, integrity, or availability of our information systems or the information residing on those systems through various processes. These processes include a wide variety of controls, technologies, methods, systems, and other processes that are designed to prevent, detect, or mitigate data loss, theft and misuse, and unauthorized access to, or other cybersecurity attacks or vulnerabilities affecting, our data. The assessment of cybersecurity risk is integrated into our overall risk management processes and cybersecurity is identified as a key risk within our Enterprise Risk Management ( ERM ) program. The Company strives to implement cybersecurity policies, standards, processes and controls for assessing, identifying and managing material risks from cybersecurity threats and responding to cybersecurity attacks that are aligned with industry best practices and applicable frameworks. We have an information technology ( IT ) security team, led by our chief information security officer, that is responsible for implementing and maintaining cybersecurity and data protection practices at the Company in close coordination with senior leadership and other teams across GameStop. We seek to address cybersecurity risks through a cross-functional approach, including relevant training for applicable employees and regular reviews and tests of our cybersecurity program that leverage audits performed by our internal audit team. In addition to our in-house cybersecurity capabilities, at times we also engage consultants or other third parties to assist with assessing, identifying and managing cybersecurity risks. We use processes to oversee and identify material risks from cybersecurity threats associated with our use of third-party technology and systems. We maintain processes to reduce the impact of a cybersecurity attack at a third-party vendor. We maintain a cybersecurity incident response plan, which details the incident response procedures and points of contact related to the response processes. The response plan includes a decision-tree-based playbook, which is a supplement to the plan, and focuses on specific types of incidents and the appropriate response steps. As of the date of this report, we are not aware of any recent cybersecurity attacks that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. See Item 1A. Risk Factors for additional information about the risks to our business associated with a breach or compromise to our information security systems. Governance As indicated above, we have an IT security team, led by our chief information security officer, that is responsible for implementing and maintaining centralized cybersecurity and data protection practices at the Company in close coordination with senior leadership and other teams across GameStop. The security team s leadership has an average of over 12 years of prior work experience in various roles including monitoring, response, compliance and privacy. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the Audit Committee on any appropriate items. The Audit Committee of the Board of Directors, with input from management, assesses the measures implemented by us to mitigate and prevent cybersecurity attacks. The Company s IT team consults with, and provides regular updates to, our Audit Committee, as well as members of our senior management team, as appropriate, on technology and cybersecurity matters, the status of projects to strengthen our information security systems, assessments of our cybersecurity program, and timely reports regarding any cybersecurity attack that meets established reporting thresholds. Our Audit Committee has oversight responsibility for our cybersecurity program. 15

Company Information