Lovesac Co 10-K Cybersecurity GRC - 2024-04-11

Page last updated on April 11, 2024

Lovesac Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-11 16:02:31 EDT.

Filings

10-K filed on 2024-04-11

Lovesac Co filed an 10-K at 2024-04-11 16:02:31 EDT
Accession Number: 0001628280-24-015804

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K . These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws. The Company is committed to protecting its information system and data from cyber threats. As part of our ongoing efforts to enhance our cybersecurity posture, we conduct an annual review of our information technology control environment and engages third-party security experts to conduct risk and vulnerability assessments including penetration testing. We additionally utilize third party technical tools to control system access and filter, restrict and regulate content that may pose a material risk to the Company. Employees are required to use multi-factor authentication to access Company systems and undergo annual security training. Management is responsible for identifying, monitoring and mitigating the material risks facing the Company, including cybersecurity risks. Management provides regular reports to the Board at every meeting to review our top risks, identify trends and help manage risk. Our cybersecurity risk management and strategy is overseen by our Chief Information Officer as well as other members of the senior leadership team at Lovesac. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents and report to the Board on any appropriate items. Our Chief Information Officer has over 35 years of experience managing information technology and cybersecurity matters and is responsible for assessing and managing these cybersecurity risks. Team members who support our information security program have relevant educational and industry experience. Cybersecurity Governance Cybersecurity is an important part of our risk management and an area of focus for our Board and management. Our Board of Directors is responsible for the oversight of risks from cybersecurity threats. The Board receives updates on a quarterly basis from senior management, including leaders from our Information Technology and Security, Risk Management. Finance, and Legal teams and our Chief Information Officer regarding matters of cybersecurity. This includes existing and 31 Table of Contents new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives. The Audit Committee , of the Company s Board of Directors oversees, among other things, the adequacy and effectiveness of the Company s internal controls, including internal controls designed to assess, identify, and manage material risks from cybersecurity threats. The Board of Directors, as a whole and at the Audit Committee level, oversee the most significant risks facing the Company and our processes to identify, prioritize, assess, manage and mitigate those risks. The Audit Committee, which is comprised solely of independent directors, has been designated by our Board to oversee cybersecurity risk. The Audit Committee is informed of material risks from cybersecurity threats pursuant to the escalation criteria as set forth in the Company s disclosure controls and procedures. Although the Company endeavors to mitigate cybersecurity risks, we face cybersecurity risks, threats and attacks that could have a material adverse effect on the Company s business strategy, results of operations or financial condition. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, Risk Factors, under the heading Legal, Tax and Regulatory Risks.

Company Information