LAKELAND INDUSTRIES INC 10-K Cybersecurity GRC - 2024-04-10

Page last updated on April 11, 2024

LAKELAND INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-10 19:30:35 EDT.

Filings

10-K filed on 2024-04-10

LAKELAND INDUSTRIES INC filed an 10-K at 2024-04-10 19:30:35 EDT
Accession Number: 0001654954-24-004465

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C: CYBERSECURITY Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational disruption, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy or security laws and other litigation and legal risks, and reputational risks. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks. To identify and assess material risks from cybersecurity threats, our enterprise risk management program considers cybersecurity threat risks alongside other company risks as part of our overall risk assessment process. Our enterprise risk professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. We employ a range of tools and services, including regular network and endpoint monitoring, vulnerability assessments, and penetration testing, to inform our professionals risk identification and assessment. We also have a cybersecurity specific risk assessment process, which helps identify our cybersecurity threat risks by comparing our program to best practices, as well as by engaging experts to attempt to infiltrate our information systems (as such term is defined in Item 106(a) of Regulation S-K). We test and review the result on an annual basis. Our cybersecurity program includes controls designed to prevent, identify, protect against, detect, respond to and recover from cybersecurity incidents (as such term is defined in Item 106(a) of Regulation S-K), and to provide for the availability of critical data and systems and to maintain regulatory compliance. These controls include the following activities: monitor emerging data protection laws and implement changes to our processes designed to comply conduct regular cybersecurity management and incident training for all employees conduct regular phishing email simulations for all employees with access to corporate email systems to enhance awareness and responsiveness to such possible threats. Any employee who fails a phishing test is automatically enrolled in additional cyber training through policy, practice and contract (as applicable) require employees, as well as third parties who provide services on our behalf, to treat customer information and data with care maintain multiple layers of controls, including embedding technological and administrative security features into our technology investments, multi-factor authentication tools, system access policies and privileges, and network configuration perform annual system access audit with all departments and personnel review access logs and continually monitor detection alerts conduct annual tabletop exercises to simulate cyber incidents to refine cyber security policies, further implement a remote disaster recovery backup site and fail over testing. We perform periodic internal assessments to test our cybersecurity controls and regularly evaluate our policies and procedures surrounding our handling and control of personal data and the systems we have in place to help protect us from cybersecurity or personal data breaches, and we perform periodic internal assessments to test our controls and to help us identify areas for continued focus, improvement, and/or compliance. We have established a cybersecurity risk management process that includes internal reporting of significant cybersecurity risk to our board when found. In addition, our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents. These include processes to triage, assess severity, escalate, contain, investigate, and remediate the incident, as well as comply with potentially applicable legal obligations and mitigate brand and reputational damage. 19 Table of Contents Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk management program, as well as our cybersecurity-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading Cybersecurity incidents could disrupt business operations, result in the loss of critical and confidential information and adversely impact our reputation and results of operations included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K which disclosures are incorporated by reference herein. In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from them were immaterial. This includes penalties and settlements, of which there were none. Cybersecurity Governance Cybersecurity is an important part of our enterprise risk management program and an area of increasing focus for our Board and management. We have established a Cyber Security Council, comprised of top-level executives and board members, that acts under the oversight of our Audit Committee. The Cyber Security Council is responsible for the oversight of risks from cybersecurity threats. Management is informed about and monitors the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of and participation in the cybersecurity risk management process described above, including the operation of our incident response plan. Annually, the Cyber Security Council receives an overview from management of our cybersecurity threat risk management process and strategy covering topics such as data security posture, results from security assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the Cyber Security Council generally receives materials, including current and emerging material cybersecurity threat risks and describing the company s ability to mitigate those risks, and discusses such matters with our Vice President of Information Technology. Members of the Cyber Security Council are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management process. Material cybersecurity threat risks are also considered during separate Board meeting discussions of important matters like enterprise risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters. Any potential threat or incident is reported to the Cyber Security Council based on the severity and potential risk based on the escalation procedure as defined by the Incident Response Plan. Our cybersecurity risk management process, which is discussed in greater detail above, is led by our Vice President of Information Technology. This individual has over thirty years of prior work experience in various Information Technology roles including managing information systems and security. Our Vice President of Information Technology and technology professionals have deep experience and skills related to the development, implementation and monitoring of cyber technology assets. Our technology staff and partners have a strong track record of working with major vendors’ security, firewall, identity management, and other platforms. 20 Table of Contents

Company Information