Container Store Group, Inc. 10-K Cybersecurity GRC - 2024-05-28

Page last updated on July 16, 2024

Container Store Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-28 06:29:38 EDT.

Filings

10-K filed on 2024-05-28

Container Store Group, Inc. filed a 10-K at 2024-05-28 06:29:38 EDT
Accession Number: 0001628280-24-025287

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy The Container Store has developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. We design and assess our program based on a hybrid security framework model using the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the Payment Card Industry Security Standard (PCI DSS). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF and PCI DSS as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. We have an enterprise risk management program designed to identify and assess enterprise risks. At certain committee and Board meetings periodically throughout the year, management discusses the risk exposures identified as being most significant to the Company and the related actions that management may take to monitor such exposures. Our cybersecurity risk management program is integrated into our enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the risk management program. Our cybersecurity risk management program currently includes the following key elements, which are deployed as the Company deems applicable: - We conduct periodic risk assessments, as well as internal and external vulnerability scanning and penetration testing of select systems and platforms, which are designed to help identify material risks from cybersecurity threats to our critical systems and information. - We have established security procedures for day-to-day operations designed to promote optimal system performance and maintain the integrity of critical systems and information, including detection, prevention and recovery controls, as well as backup procedures designed to prevent the loss of critical data, among other practices. - Our policy is to train employees and relevant contractors on cybersecurity awareness. The Company’s office-based associates, store-based associates and certain distribution and fulfillment center associates are required to undergo security awareness training at the time of hiring. The Company’s store-based associates may also receive ad hoc cybersecurity awareness communications and materials as part of their store’s local operations training. - We have established, and periodically test, data security breach preparedness and response plans that are designed to address a range of scenarios that include data breaches and ransomware attacks. - We are subject to regular information technology and security audits by internal audit staff and external third parties. - We conduct third-party cybersecurity risk diligence for key service providers based on our assessment of their criticality to our operations and respective risk profile. The Company (or a third party on which it relies) may not be able to fully, continuously and effectively implement security controls as designed or intended. The Company utilizes a risk-based approach and judgment to determine which security controls to implement, and it is possible that the Company may not implement appropriate controls if management does not recognize, or underestimates, a particular risk. In addition, security controls, no matter how well designed or implemented, may only partially mitigate, but not fully eliminate, risks. Security events, when detected by security tools or third parties, may not always be immediately understood or acted upon by the Company (or by third parties on which it relies). As of the filing of this Annual Report on Form 10-K, we are not aware of any cybersecurity incidents that have occurred that have materially affected us, including our business strategy, results of operations or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. If as a result of any future attacks our information technology systems are significantly damaged, cease to function properly or are subject to a significant cybersecurity breach, we may suffer an interruption in our ability to manage and operate the business, and our business strategy, results of operations or financial condition could be adversely affected. See “Risk Factors - Information Technology Risks .” Governance The Audit Committee (Committee) of our Board of Directors has primary oversight responsibility for the Company’s risk assessment and risk management activities, including addressing risks related to cybersecurity through policies and processes, and considering any recommendations for improvement of relevant controls. The chairperson of the Audit Committee updates the full Board of Directors on these matters as deemed appropriate. The Company has a Cybersecurity Council, which is composed of representatives of the Company’s senior management and exercises management-level oversight of cybersecurity matters. Our Chief Information Security Officer (“CISO”) has primary responsibility for the development, operation, and maintenance of the Company’s cybersecurity risk management program. The CISO holds multiple cybersecurity certifications and has approximately 15 years of cybersecurity experience with public retail companies. The Committee receives reports from the CISO at least twice per year regarding our cybersecurity risk management program and cybersecurity risks. In addition, management updates the Committee, where it deems appropriate, regarding internal and external security reviews, risk assessments, breach preparedness, threat assessments, and cybersecurity incidents it considers to be significant. Personnel with access to certain Company data and information technology assets are required to promptly report known or suspected security incidents. Our incident response process is designed to facilitate the reporting of cybersecurity incidents to management, including the CISO and the Company’s designated internal legal counsel, as well as other identified associates from across the Company’s business, as applicable. Our management team takes steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include: briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our IT environment.

Company Information