VINCE HOLDING CORP. 10-K Cybersecurity GRC - 2024-05-02

Page last updated on May 2, 2024

VINCE HOLDING CORP. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-02 16:44:14 EDT.

Filings

10-K filed on 2024-05-02

VINCE HOLDING CORP. filed an 10-K at 2024-05-02 16:44:14 EDT
Accession Number: 0000950170-24-052254

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Cybersecurity Risk Management and Strategy The Company is committed to, and recognizes the importance of, information security, cyber readiness, and data privacy protections to our business and reputation, which includes assessing, identifying, and managing material risks associated with cybersecurity threats. Our cybersecurity program uses processes, technologies, and controls to assist in our efforts to assess, identify, and manage material cybersecurity-related risks. The Company employs a number of tools and services, such as network monitoring and vulnerability assessments to inform our risk identification and assessment processes. We also maintain an incident response plan that outlines processes designed to triage, assess the severity of, escalate, contain, investigate, and remediate cybersecurity incidents while also complying with relevant legal obligations. Our employees receive cybersecurity awareness and sensitive information protection training on a regular basis, which we also periodically test for effectiveness through simulations, which may include simulated phishing emails and tabletop exercises. Additionally, the Company regularly makes assessments related to the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems the Company uses. We also maintain cybersecurity risk insurance. Our information security team serves as a first line of defense, including managing cyber risk strategy execution and owning the day-to-day management of these risks. Our enterprise risk management function, which includes members of our executive leadership team, serves as a second line of defense, bringing holistic risk oversight while serving as a partner to the business to help strategically manage risk. In particular, cybersecurity risks are monitored by a team composed of members of our executive team, who in turn provides updates to the Audit Committee of our Board of Directors, who is responsible for assisting the Board of Directors with oversight over cybersecurity risks. Through the processes described above, we did not identify risks from current or past cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. See Part I, Item IA. Risk Factors Risks Related to Our Information Technology and Security . Cybersecurity Governance Our Board of Directors and Audit Committee are actively engaged in the oversight of our information security program, including the Company s technology and information security policies and practices, the internal controls relating to information security, and the steps taken by management to identify, monitor, and control any risk exposures. Our management has general responsibility for day-to-day implementation of our information technology, cybersecurity, and privacy strategies and policies, including deployment and use of security tools, applications, and employee training. Role or project specific employee training, as well as other training, may also occur, as needed. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Information Officer ( CIO ), who is assisted by other members of our senior management team. The team engaged in the cybersecurity risk management process, including the CIO, has risk management backgrounds, certifications, and/or cyber experience in prior professional roles and at the Company. The team also maintains expertise on cyber risk management through third party consultants, external training, and affiliations with relevant organizations. Given the importance of information security to our customers, employees, suppliers and other partners, our Board and/or the Audit Committee receives reports as needed from our CIO on cybersecurity-related matters, including the status of projects to strengthen our security systems and to improve our cyber threat readiness, as well as on the existing and emerging cyber threat landscape and our program for managing these security risks. 20

Company Information