COLUMBIA SPORTSWEAR CO 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

COLUMBIA SPORTSWEAR CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 16:13:58 EST.

Filings

10-K filed on 2026-02-25

COLUMBIA SPORTSWEAR CO filed a 10-K at 2026-02-25 16:13:58 EST
Accession Number: 0001050797-26-000028

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Management's Role in Managing Risk Our management team is responsible for identifying, assessing and managing the material risks facing the Company. On January 6, 2025, the Company's Executive Vice President, Chief Digital Information Officer, departed the Company. Jim Swanson, Executive Vice President and Chief Financial Officer, oversaw the digital technology department at the Company in an interim capacity until January 21, 2026 when the Company appointed a Senior Vice President, Chief Technology Officer ("CTO"). The CTO, together with our Chief Information Security Officer ("CISO"), are responsible for identifying, assessing and managing risks facing the Company from cybersecurity threats impacting our internal systems and/or systems supported by third-party providers. Our CTO has served in various information technology roles for over 20 years, including the role of CTO at a private company and management of information technology programs of private and public companies. Our CISO has served in various information technology and information security roles for over 20 years, including management of information security programs in the Department of Defense and private and public companies, and holds multiple industry certifications in information security. We leverage certain third-party providers and our internal Incident Response Team to help alert us when a cybersecurity event occurs. Cybersecurity events may include unauthorized access, attacks on our resources, compromised accounts, malware, or ransomware. Upon alert of an event, we estimate the level of severity, create a response plan, and communicate to management as needed. Based on the estimated level of severity, timing of incident communication to management may vary in accordance with established escalation protocols. Our cybersecurity risk assessment process is subject to change in the future as threats may evolve over time. An Information Security committee oversees this cybersecurity program and consists of senior management, including Mr. Swanson and our Chief Administrative Officer and General Counsel. At least quarterly, this committee reviews updates regarding cybersecurity threats and incidents that have occurred. Periodically, this committee approves cybersecurity strategy and initiatives proposed by our CTO and CISO. In 2025, we engaged an independent third party review of our cybersecurity program against the NIST Cybersecurity Framework 2.0 to provide an independent assessment and perspective measured against industry standards. Additionally, we periodically engage independent third parties to perform audits of portions of our cybersecurity control environment based on risk. Cybersecurity risks are also considered in the Company's enterprise risk management program. Board Oversight Our Board of Directors ("Board") generally oversees Columbia's risk management practices and processes. The Board has delegated primary oversight of the management of cybersecurity risk to the Audit Committee. The Audit Committee performs an annual deep dive on the strategies, investments and risks related to Columbia's information technology systems, including a review of Columbia's cybersecurity COLUMBIA SPORTSWEAR COMPANY | 2025 FORM 10-K | programs, and also receives quarterly updates from our CTO and CISO. The Board is informed of cybersecurity events to the extent they may materially impact Columbia or management otherwise believes they should be escalated to the Board. Risks from Cybersecurity Threats In the three-year period ended December 31, 2025, we are not aware of any cybersecurity incidents that have had a material impact on our business. There can be no assurance that we, or the third parties with which we interact, will not face a cybersecurity incident in the future that will materially affect us. See Item 1A of this Annual Report on Form 10-K for more information of risks relating to cybersecurity, including the risk factors "We Rely on Information Technology Systems, including Third-Party Cloud-based Solutions, and Any Failure of These Systems or Interruption in Services Provided by the Systems May Result in Disruptions or Outages in Our E-Commerce and In-Store Retail Platforms, Loss of Processing Capabilities, and/or Loss of Data, Any of Which May Have a Material Adverse Effect on Our Financial Condition, Results of Operations or Cash Flow" and "A Security Breach of Our or Our Third Parties' Systems, Exposure of Personal or Confidential Information or Increased Government Regulation Relating to Handling of Personal Data, Could, Among Other Things, Disrupt Our Operations or Cause Us to Incur Substantial Costs or Negatively Affect Our Reputation".

Company Information