Page last updated on February 13, 2026
lululemon athletica inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-27 16:12:41 EDT.
Filings
10-K filed on 2025-03-27
lululemon athletica inc. filed a 10-K at 2025-03-27 16:12:41 EDT
Accession Number: 0001397187-25-000013
Item 1C. Cybersecurity.
Item 1C. Cybersecurity
Risk Management and Strategy
Our business operations and relationships with customers and suppliers are heavily reliant on technology. We operate a cybersecurity program designed to assess our security risks and threats, to manage those risks and protect our technology systems and data, and to detect and respond to cybersecurity incidents.
We manage strategic risks, including cybersecurity risk, through our Enterprise Risk Management program, which has direct involvement from the board of directors, the audit committee, and senior management. Through this process, we have identified cybersecurity as a risk management priority.
Governance
Our board of directors is responsible for the oversight of cybersecurity risks and has delegated primary responsibility to the audit committee. The audit committee oversees our enterprise risk assessments and management policies, procedures, and practices, including those related to information security, cybersecurity, and data protection.
The audit committee maintains a cybersecurity sub-committee comprised of our EVP, Chief Information Officer ("CIO"), our SVP, Chief Information Security Officer ("CISO"), and representatives from the audit committee and board of directors with knowledge and experience in cybersecurity matters.
The cybersecurity sub-committee:
- Reviews cybersecurity risk assessments
- Monitors and reports on risk mitigation efforts
- Discusses regulatory and market developments
- Reviews processes for identifying and responding to cybersecurity incidents
- Reviews details of cybersecurity incidents that have occurred
Management generally meets with, and provides reports to, the cybersecurity sub-committee on a quarterly basis. Our CIO and CISO also meet with and provide reports to the audit committee at least quarterly.
The board of directors receives periodic reports regarding the activities of the cybersecurity sub-committee. These reports and meetings are designed to inform the board of directors and its committees about the current state of our information security program, including cybersecurity risks, the nature, timing, and extent of cybersecurity incidents, if any, and the resolution of such matters.
Cybersecurity Program and Incident Response
Our CISO is responsible for our cybersecurity program, including risk assessments, information security activities, and controls. The CISO establishes and maintains corporate information security policies and oversees our risk management activities, which prioritize vulnerability management, risk reduction, and prevention.
Our CISO also leads our Cyber Defense and Incident Response ("CDIR") team, which identifies, assesses, escalates, and remediates cybersecurity incidents. Our CISO has over 30 years of experience in the field of cybersecurity, bringing an extensive understanding of cybersecurity threats, regulatory compliance, and industry best practices.
The CDIR team:
- Monitors threats related to third parties
- Oversees cloud security
- Addresses malicious code risks
- Secures e-commerce systems
- Secures store technology
- Conducts security reviews
- Assesses vulnerabilities
- Analyzes threat intelligence
Training and Testing
As part of our cybersecurity program:
- Employees complete mandatory e-learning
- Phishing simulations and supplemental campaigns are conducted
- Employees have multiple mechanisms for reporting cybersecurity and data privacy concerns
- Third-party advisors assess critical systems
- High-risk vulnerabilities are remediated
- Independent third parties perform penetration testing on key systems
Incident Escalation and Materiality
As part of our cyber incident response plan, we utilize an established framework to assess the severity of cybersecurity incidents. Under the plan, incidents are escalated to relevant senior management and the board of directors, as appropriate, based on their severity. Our disclosure committee assesses the materiality of severe incidents using both quantitative and qualitative factors.
Third Parties
We utilize third-party service providers as a normal part of our business operations.
To address cybersecurity risks arising from our relationships with third-party service providers, we employ a vendor risk program.
Key components include:
- Monitoring risks relating to potential compromises of sensitive information
- Periodic re-evaluation of risks associated with partners
- Vendor risk assessments prior to exchanging data
- Third-party security reviews
- Evaluation of vendor networks, processes, and systems
- Annual attestation reports related to data security and privacy from certain providers
These practices support compliance with industry-standard cybersecurity protocols.
Impact of Cybersecurity Risks on Strategy and Results
As of the date of this annual report, we are not aware of any cybersecurity incidents that have had a material impact on our business.
However, like many companies, we continue to face ongoing cyber threats, including phishing and other unauthorized access attempts, which, if successful, could have a material impact in the future.
For more information, see "Risks related to information security and technology" included in Item 1A. Risk Factors of this annual report.
Company Information
| Name | lululemon athletica inc. |
| CIK | 0001397187 |
| SIC Description | Apparel & Other Finishd Prods of Fabrics & Similar Matl |
| Ticker | LULU - Nasdaq |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | February 2 |