Torrid Holdings Inc. 10-K Cybersecurity GRC - 2024-04-02

Page last updated on April 11, 2024

Torrid Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-02 16:06:43 EDT.

Filings

10-K filed on 2024-04-02

Torrid Holdings Inc. filed an 10-K at 2024-04-02 16:06:43 EDT
Accession Number: 0001628280-24-014351

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We rely extensively on various information systems, operated by us as well as third-party service providers, to manage many aspects of our business. We are susceptible to a number of significant and persistent cybersecurity threats, including those common to most industries as well as those we face as a retailer, operating in an industry characterized by a high volume of 28 customer transactions and collection of sensitive data. These threats, which are constantly evolving, include data breaches, ransomware, and phishing attacks. We, and our vendors and suppliers, regularly face attempts by malicious actors to breach our security and compromise our information technology systems, and a cybersecurity incident impacting us or any vendor or supplier could significantly disrupt our operations and result in damage to our reputation, costly litigation and/or government enforcement action. Accordingly, we recognize the critical importance of maintaining the safety and security of these information systems and have implemented multiple layers of cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage cybersecurity risk. Our enterprise risk management framework considers cybersecurity risk alongside other company risks as part of our overall risk assessment process. Efforts to assess, identify, and manage cybersecurity risk are led by our dedicated Chief Technology Officer ( CTO ), and supported by an experienced team, other members of management, and the Board. From time to time, we engage consultants, auditors, and other third parties to assist us in these efforts. We assess our information security program using an industry-leading cybersecurity framework, the Center for Internet Security Critical Security Controls. A risk assessment along with risk-based analysis and judgment are used to select security controls to address risks. During this process, the following factors, among others, are considered: likelihood and severity of risk, impact on us and others if a risk materializes, feasibility and cost of controls and impact of controls on operations. To test our cybersecurity program, we perform periodic vulnerability testing, engage an independent third party to perform periodic internal and external penetration testing, and engage other third parties to conduct periodic assessments of our cybersecurity capabilities. We continuously expand training and awareness practices to mitigate risk from human error, including mandatory computer-based training and internal communications for employees. Our employees undergo cybersecurity awareness training and regular phishing awareness campaigns that are based upon and designed to emulate real-world contemporary threats. We provide prompt feedback (and, if necessary, additional training or remedial action) based on the results of such exercises. Our processes also address cybersecurity risks associated with our use of third-party service providers used in different capacities to provide or operate some of our cybersecurity controls and technology systems. We proactively evaluate the cybersecurity risk of a third party by utilizing a repository of risk assessments and external monitoring sources, including performing dark web analyses, to better inform us during contracting and vendor selection processes. Security issues are documented and tracked, and periodic monitoring of third parties is conducted in an effort to mitigate risk. In addition to the processes, technologies, and controls that we have in place that are designed to reduce the likelihood of a material cybersecurity incident (or series of related cybersecurity incidents), we have a written incident response plan outlining how to address cybersecurity events that occur. The plan sets forth the steps for coordination among various corporate functions and governance groups, including the legal and finance functions, the Board, and external breach counsel, and serves as a framework for the execution of responsibilities across businesses and operational roles. Our incident response plan is designed to help us coordinate actions to prepare for, detect, respond to and recover from cybersecurity incidents, and includes processes to triage, assess severity, escalate, contain, investigate, and remediate the incident, as well as to assess the need for disclosure, comply with applicable legal obligations and mitigate the impact to our brand and reputation and on impacted parties. In addition to our cybersecurity incident response plan, we conduct tabletop exercises to enhance our incident response preparedness. We maintain business continuity and disaster recovery plans for certain critical applications and services to prepare for and respond to the potential for a disruption in the technology we rely on. Impact of cybersecurity risks on business strategy, results of operations or financial condition Torrid (or the third parties it relies on) may not be able to fully, continuously, or effectively implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine whether and how to implement certain security controls and it is possible that we may not implement the necessary controls if we are unable to recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate cybersecurity risks. Cybersecurity events, when detected by security tools or third parties, may not always be identified immediately or addressed in the manner intended by our cybersecurity incident response plan. While we maintain cyber risk insurance, the costs relating to certain kinds of security incidents could be substantial, and our insurance may not be sufficient to cover all losses related to any future incidents involving our data or systems. See Risks Related to Our Business in Item 1A, Risk Factors in this Annual Report for a discussion of cybersecurity risks that may materially impact us. Based on the information available as of the date of this Annual Report, no material risks from known cybersecurity incidents have, either individually or in the aggregate, materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. There is no guarantee that any risks from cybersecurity threats will not materially affect us in the future. 29 Cybersecurity Governance The Board oversees our overall risk assessment process, where we assess key enterprise risks within the company, and at least quarterly, senior management reviews these risks with the Board. Cybersecurity and other technology risks, which are considered in our enterprise risk management framework, continue to remain a top priority for the Board. Primary oversight responsibility for cybersecurity and other technology risks has been given to the Audit Committee by the Board. Our cybersecurity risk management and strategy processes are led by our CTO, assisted by our Vice President of Infrastructure and Operations. Together, they have over 20 years of combined professional experience in various roles across multiple industries involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs, and managing multiple industry and regulatory compliance environments. At least quarterly, the Audit Committee, Chief Executive Officer and senior finance and legal management, evaluate, review and discuss with the CTO our cybersecurity, privacy and data security programs, the status of projects to strengthen internal cybersecurity, results from third-party assessments, recent cybersecurity incidents at other companies and the emerging threat landscape. Significant cybersecurity incidents are reviewed and discussed with the Audit Committee and senior finance and legal management as required by our cybersecurity incident response plan.

Company Information