CATO CORP 10-K Cybersecurity GRC - 2024-03-27

Page last updated on April 11, 2024

CATO CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-27 13:01:21 EDT.

Filings

10-K filed on 2024-03-27

CATO CORP filed an 10-K at 2024-03-27 13:01:21 EDT
Accession Number: 0001562762-24-000065

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity: Risk Management Strategy We recognize the importance of effectively managing cybersecurity risk in protecting our business, customers and employees, and we manage cybersecurity risk as part of our overall risk management system and compliance processes. We maintain a process designed to identify, assess and manage material risks from cybersecurity threats, including risks relating to theft of customer data, primarily payment cards, disruption to business operations or financial reporting systems, fraud, extortion, harm to employee data and violation of privacy laws. In recent years, we have increased our investments in cybersecurity risk management within our environment and have developed an enterprise cybersecurity program designed to detect, identify, classify and mitigate cybersecurity and other data security threats. This program classifies potential threats by risk levels, and we typically prioritize our threat mitigation efforts based on those risk classifications. In the event we identify a potential cybersecurity, privacy or other data security issue, we have defined procedures for responding to such issues, including procedures that address when and how to engage with Company executives, our Board of Directors, other stakeholders and law enforcement when responding to such issues. Additionally, various aspects of our cybersecurity program, particularly compliance with the Payment Card Industry standards, are regularly reviewed by independent third parties. We also maintain cybersecurity insurance, which we believe to be commensurate with our size and the nature of our operations, as part of our comprehensive insurance portfolio. We utilize third-party intrusion detection and prevention systems and vulnerability and penetration testing to monitor our environment. We also use third-party software to test our employees’ responses to suspicious emails and to inform targeted cyber awareness training. Our information security and privacy policies are informed by regulatory requirements and are reviewed periodically for compliance and alignment with current state and federal laws and regulations. We comply with applicable industry security standards, including the Payment Card Industry Data Security Standard ( PCI DSS ). Because we are aware of the risks associated with third-party service providers, we also have implemented processes to oversee and manage these risks. We conduct security assessments of third-party providers before engagement and maintain ongoing monitoring to help ensure compliance with our cybersecurity standards. 23 Additionally, we maintain a cybersecurity incident response plan, which is reviewed regularly, and provides a framework for handling and escalating cybersecurity incidents based on the severity of the incident and facilitates cross-functional coordination across the Company. Through the processes described above, we did not identify risks during the year ended February 3, 2024 from current or past cybersecurity threats or cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, we face ongoing risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy, results of operations, or financial condition. See the risk factors discussed under the heading, Risk Factors Risks Relating to Our Information Technology, Related Systems and Cybersecurity for further information. Governance Our Board of Directors recognizes the important roles that information security and mitigating cybersecurity and other data security threats play in our efforts to protect and maintain the confidentiality and security of customer, employee and vendor information, as well as non-public information about our Company. Although the Board as a whole is ultimately responsible for the oversight of our risk management function, the Board has delegated to its Audit Committee primary responsibility for oversight of risk assessment and risk management, including risks related to cybersecurity and other technology issues. The Audit Committee also oversees the Company s internal control over financial reporting, including with respect to financial reporting-related information systems. The Chief Financial Officer (CFO) and Chief Accounting Officer (CAO) meet regularly with the Audit Committee and Board of Directors. The Audit Committee reviews quarterly our cybersecurity activities, including review of annual external assessment results, training results, and discussion of cybersecurity risks and resolutions, and is responsible for elevating significant matters to the Board as events arise. The Audit Committee receives reports from our Chief Information Officer (CIO) annually regarding our cybersecurity framework, as well as our plans to mitigate cybersecurity risks and respond to any data breaches. From a management perspective, our enterprise cybersecurity is overseen by our cybersecurity committee, which is chaired by our CFO and includes our CAO, CIO, Chief Information Security Officer (CISO), as well as key members of financial management, information technology and audit. Our cybersecurity infrastructure is overseen by our CISO, who reports to our CIO. Our CIO reports to our CFO and has served in various roles in information technology and information security for over 30 years.

Company Information