STEVEN MADDEN, LTD. 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

STEVEN MADDEN, LTD. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 07:13:18 EST.

Filings

10-K filed on 2026-03-02

STEVEN MADDEN, LTD. filed a 10-K at 2026-03-02 07:13:18 EST
Accession Number: 0001628280-26-012995

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company employs a comprehensive, cross-departmental approach to continuously assess, identify, and manage potential cybersecurity risks, with direct involvement from the Board of Directors, primarily through the Audit Committee of the Board, and senior management. Collaboration is required between our employees, the information technology ("IT") security team, which is led by our Chief Information Security Officer ("CISO"), the Information Security Steering Committee ("ISSC"), which is chaired by our CISO and comprised of executive and senior representatives from key corporate functions and is overseen by the Board of Directors, and the Core Cyber Incident Response Team ("CIRT"), which is led by our CISO and includes members from ISSC and our technology teams. The Company's cybersecurity policies, standards, processes, and practices are integrated into the Company's overall risk management program and we regularly consider cybersecurity risks in the context of material risks to the Company. Our cybersecurity risk management program categorizes cybersecurity risks into five areas: identify, protect, detect, respond, and recover. We regularly assess the cybersecurity threat landscape, employing a layered cybersecurity strategy that emphasizes prevention, detection, and mitigation through a variety of technical and operational measures. As a part of our cybersecurity risk management program, our information security program is tailored to address identified risks, while aligning with pertinent business requirements. We foster a shared responsibility for the Company's cybersecurity with all of our employees, conducting periodic phishing simulation campaigns and providing regular, mandatory cybersecurity training to enhance awareness and readiness against potential cyber threats. As part of the Company's information security program, all global employees are required to complete annual training on information security awareness, including cybersecurity, global data privacy requirements, and information technology compliance measures. Certain roles require additional role-based, specialized cybersecurity training to ensure proactive preparation and effective coordination in the event of a security incident. We engage a third-party to conduct annual tabletop exercises to members of our ISSR and CIRT units. During this exercise, we rehearse our incident response plan, as well as identify and prioritize opportunities for improvement within our cybersecurity program and associated security controls, through a customized simulation specifically tailored to our current environment, processes, and procedures. Furthermore, job function-specific training and testing exercises are delivered by an external partner and aligned with specific job responsibilities. For example, IT personnel receive additional training related to privileged access, while finance personnel receive targeted training and random testing designed to mitigate risks related to phishing, deepfake, and business email compromise. To protect our data and information systems, we maintain Company-wide cybersecurity policies and procedures regarding encryption standards, antivirus protection, remote access, multifactor authentication, confidential information, and internet, social media, email, and wireless device usage. Our IT security team reviews and updates such policies and procedures to adapt to evolving cybersecurity landscapes, industry best practices, and regulatory and statutory updates. Our CISO conducts thorough reviews of these updates to ensure their continued relevance and effectiveness in safeguarding the Company's assets and business interests. Key members of our leadership team and our technology teams undergo annual cyber incident tabletop exercises. As part of our broader cybersecurity risk management framework, the Company maintains compliance with PCI DSS standards. This program governs the security of our payment processing environment, ensuring that credit card data is handled through encrypted channels and segmented networks to mitigate the risk of unauthorized access or data exfiltration. We continually seek to update our IT security, encompassing end-user training, layered defenses, critical asset identification and protection, enhanced monitoring and alerting, and engagement with third-party experts to evaluate the efficacy of our security measures. We engage reputable third parties to assist in the monitoring, protection, detection, and potential remediation of cybersecurity threats and incidents. We also regularly evaluate cybersecurity risks associated with our use of third-party service providers, conducting an annual review of hosted applications and assessing their cybersecurity preparedness. Risks from cybersecurity threats, including as a result of previous cybersecurity events encountered by the Company and known events encountered by third parties with a connection to the Company, have not materially affected our Company, including our business strategy, results of operations, or financial condition. The Company did not experience a material third-party information security breach in the last three years. Governance Management Our Chief Information Security Officer ( CISO) is prim arily responsible for evaluating and managing the Company's significant cybersecurity risks, as well as developing and implementing the related risk management policies and procedures. 22 The CISO directs the Company's information security and cybersecurity risk management programs, providing quarterly status reports to both the Information Security Steering Committee (ISSC) and the Audit Committee of the Board of Directors. With more than 25 years of experience across technology, cybersecurity operations, and engineering functions, the CISO holds a bachelor's degree in computer information science, a master's degree in technology management, a CISO Certificate from Carnegie Mellon University, and maintains ISC2 CISSP certification. Other members of the management team support our CISO in overseeing cybersecurity risk management through participation in the ISSC, which is chaired by the CISO and includes the Chief Executive Officer, Chief Financial Officer & Executive Vice President of Operations, Chief Information Officer, General Counsel, President of Direct-to-Consumer and Global Digital, Privacy Counsel, and the Vice President of Internal Audit. The ISSC regularly reviews and discusses comprehensive quarterly and annual reports presented by the CISO and IT security team, facilitating informed, collaborative, and consensus-based guidance on information security for the Company. Our Cybersecurity Incident Response Team (CIRT) operates as a dedicated frontline unit tasked with the rapid detection, assessment, and containment of potential threats. The CIRT employs a structured escalation framework to ensure material risks are identified and communicated with velocity. Upon identifying a potential threat, the CIRT conducts an immediate severity assessment. Any significant events are escalated to the ISSC to evaluate potential business, financial, or reputational impacts. In coordination with the ISSC, the CIRT ensures that the Audit Committee of the Board of Directors is promptly notified of any incidents deemed to have a material impact on the Company's operations or financial condition . Board of Directors The Audit Committee of the Board of Directors has responsibility for oversight of information and cybersecurity risks and assessment of cyber threats and defenses, and it oversees management to ensure that the processes designed, implemented, and maintained with respect to such risks are functioning as intended and adapted when necessary to respond to changes in our strategy, as well as emerging risks. Given the importance of information security and cybersecurity to our stakeholders, our Audit Committee reviews quarterly reports from our CISO regarding the Company's cybersecurity strategies for mitigating known risks, any newly identified risks, existing projects, and key performance insights and engages in discussions with management based on such reports and other recent developments. Over the past three years, we have not identified any cybersecurity threats that have materially affected, or that we believe are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our best efforts, cybersecurity risks cannot be fully eliminated, and there can be no assurance that we have not experienced, or will not experience, cybersecurity incidents, including incidents that may not be immediately detected. For additional information about these risks, see Part I, Item 1A, "Risk Factors" in this Annual Report on Form 10-K. 23

Company Information