V F CORP 10-K Cybersecurity GRC - 2024-05-23

Page last updated on July 16, 2024

V F CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-23 14:00:17 EDT.

Company Summary

VF Corporation (formerly Vanity Fair Mills until 1969) is an American global apparel and footwear company founded in 1899 by John Barbey and headquartered in Denver, Colorado. The company’s 13 brands are organized into three categories: Outdoor, Active and Work. In 2015, the company controlled 55% of the U.S. backpack market with the JanSport, Eastpak, Timberland, and The North Face brands.
Source: Wikipedia

Filings

10-K filed on 2024-05-23

V F CORP filed a 10-K at 2024-05-23 14:00:17 EDT
Accession Number: 0000103379-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Our business operations and relationships with consumers, customers, employees and business partners rely heavily on information technology (“IT”) systems and data. We also recognize the need to continually assess cybersecurity risk and evolve our management approach in the face of a rapidly and ever-changing environment. Accordingly, we aim to protect our business operations, including consumer, employee and confidential business records and information, against known and evolving cybersecurity threats. We have established processes for identifying, assessing, and managing material risks from cybersecurity threats using a systematic framework intended to protect the confidentiality, integrity, and availability of the Company’s important IT systems and data. Oversight responsibility in this area is shared by the Board, its Audit Committee, and management. Responsible party Oversight of cybersecurity Board of Directors Oversight of cybersecurity within VF’s overall risks Audit Committee Primary oversight responsibility for cybersecurity, including internal controls designed to identify, assess, and manage risks related to cybersecurity Management Our Chief Information Security Officer (“CISO”), General Counsel, Chief Strategy and Business Development Officer (“CSBDO”), and other senior members of our digital and technology and risk teams are responsible for identifying, assessing, and managing risks related to these topics, and reporting to the Audit Committee and/or the full Board of Directors Management receives a cybersecurity and information security maturity assessment from a third-party assessor biannually to gain a third-party view of our cybersecurity and information security program. We have integrated the identification, assessment and management of cybersecurity risks into VF’s enterprise risk management program, ensuring alignment with our overall approach to risk oversight by the Board, its committees, and management. The Board receives an annual update from VF senior leadership on cybersecurity and information security matters. The Audit Committee receives regular reports from VF senior leadership, including the CISO, on cyber threats, information security risks and controls, and other program updates, as well as enterprise risk management program updates. The Audit Committee regularly briefs the Board on these cybersecurity matters, and the Board also receives periodic briefings on cyber threats and best practices to enhance our directors’ literacy on cybersecurity and information security issues. We place a high priority on securing confidential business information and the sensitive personal information we receive and store about our consumers, customers and employees. We have systems in place to securely receive and store that information and to detect, contain, and respond to cybersecurity incidents. We also have processes to manage risk from cybersecurity threats associated with third parties, including service providers, such as risk assessments and contractual requirements that include cybersecurity measures. In addition, we have a cybersecurity and information security training and compliance program in place to support our teams who work in areas of cybersecurity and information security risk. As part of this program, VF associates who have access to confidential information receive training at least annually on cybersecurity and information security. To respond to the threat of security breaches and cyberattacks, VF maintains a program, overseen by VF’s CISO and CSBDO, that is designed to protect and preserve the confidentiality, integrity and continued availability of all information and systems owned by, or in the care of, VF. This program also includes a cyber incident response plan that provides processes for timely and accurate reporting of any material cybersecurity incident. Our CISO has over thirty years of experience as a cybersecurity professional, including experience as the CISO of two large retailers, and reports to our CSBDO, who leads our digital and technology functions and has nearly twenty years of experience enabling digital transformation for global companies. In addition, members of VF’s information security, IT and privacy teams have broad experience and expertise in selecting, deploying and operating cybersecurity technologies, initiatives and processes around the world. VF also engages service providers, consultants and other third parties in connection with these processes to provide augmented cybersecurity capabilities, deliver strategic advice, provide assurance regarding the effectiveness of certain processes and assist in cybersecurity incident response efforts, as needed. VF also maintains a cybersecurity risk insurance policy. VF’s IT systems have been subject to cybersecurity incidents in the past, including the previously disclosed December 2023 cybersecurity incident (the “Cyber Incident”). We believe the impacts of the Cyber Incident were not material to VF’s financial condition or results of operations. In addition, we do not believe that risks from cybersecurity threats have materially affected VF’s business strategy, financial condition, or results of operations. However, there is no guarantee that future cybersecurity incidents will not have a material impact in the future. Furthermore, processes designed to manage cyber risks, including those described herein, may not be effective. To learn more about risks from cybersecurity threats, as well as risks from the Cyber Incident, see the following risk factors in Item 1A of this Part I, under the headings, “VF relies significantly on information technology. Any inadequacy, interruption, integration failure or security failure of this technology could harm VF’s ability to effectively operate its business,” “VF is subject to data and information security and privacy risks that could negatively affect its business operations, results of operations or reputation,” and “We experienced a significant data security breach in December 2023 which could result in a number of potentially unknown outcomes, including but not limited to, litigation, regulatory investigations or enforcement actions, or reputational harm, any of which could have a material impact on our business operations, financial condition, or results of operations.” Additional risks and uncertainties not currently known or that may currently be deemed to be immaterial also may materially adversely affect VF’s business strategy, financial condition, or results of operations. VF is seeking reimbursement of costs, expenses and losses stemming from the Cyber Incident by submitting claims to VF’s cybersecurity insurers. The timing and amount of any such reimbursements are not known at this time. VF Corporation Fiscal 2024 Form 10-K

Company Information