Capri Holdings Ltd 10-K Cybersecurity GRC - 2024-05-29

Page last updated on July 16, 2024

Capri Holdings Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-29 16:09:26 EDT.

Filings

10-K filed on 2024-05-29

Capri Holdings Ltd filed a 10-K at 2024-05-29 16:09:26 EDT
Accession Number: 0001530721-24-000041

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We are a global company built on the trust of our customers, employees and business partners, and one of the primary ways we maintain that trust is by respecting privacy rights and safeguarding their information. We believe security is at the center of any strong data privacy program and maintaining cyber-readiness and managing cybersecurity risk continue to be areas of critical focus for us. We have in place an enterprise risk management (ERM) program designed to identify and assess the greatest existing and emerging risks that could impact our business, including cybersecurity and data privacy risks. As a part of our ERM process, we have developed a cybersecurity program designed to detect, identify, classify and mitigate cybersecurity and other data security threats. We follow widely-accepted security standards to help guide our decisions and minimize cybersecurity risks. In the event we identify a potential cybersecurity, privacy or other data security issue, we have defined policies and procedures for responding to such security incidents, including procedures that address when and how to engage with Company management, our Board of Directors, other stakeholders and law enforcement. We understand the importance of collecting, storing, using, sharing and disposing of personal information in a manner that complies with all applicable laws. We communicate our brands’ data collection, use and processing practices through clear and comprehensive privacy notices. We empower our data subjects to exercise their privacy rights by contacting us through various channels, and we maintain procedures to honor their requests made pursuant to applicable laws. We continually evaluate our privacy notices, policies and procedures surrounding our handling of personal data and the measures and systems we have in place to help identify, assess, mitigate, respond to and remediate cybersecurity issues or personal data breaches. The key steps we have taken to detect, identify, classify and mitigate cybersecurity and privacy risks, include: - Adopting and periodically reviewing and updating information security and privacy policies and procedures and undergoing cyber-incident table top exercises; - Using network and system security tools aimed at detecting and mitigating unauthorized system and data access and cyber threats; - Conducting targeted audits and penetration tests throughout the year, using both internal and external resources; - Utilizing threat intelligence to assess potential impacts to company systems and mitigating risks, when applicable, through preventive measures including updates and patching; - Conducting cyber-maturity evaluations, including engaging an industry-leading, nationally-known third party to independently evaluate our information security maturity on a periodic basis; - Assessing cybersecurity risk profiles of our third-party service providers, including by partnering with key providers to ensure they have appropriate security measures to safeguard their information technology systems and including robust data security provisions in our contracts with third parties that handle our data; - Providing annual security and privacy training and awareness to our employees to educate our employees on cybersecurity risks; and - Conducting periodic phishing simulations to test our employees’ responses to suspicious emails and to inform targeted cyber awareness training. Despite our efforts and the efforts of our third-party service providers to secure our and their IT systems, cybersecurity attacks and incidents have occurred in the past, and may continue to occur in the future. For additional information regarding the risks we face from cybersecurity and privacy incidents, see Item 1A “Risk Factors-Risks Related to Information Technology and Data Security-Privacy breaches and other cyber security risks related to our business could negatively affect our reputation, credibility and business.” Governance Management is responsible for understanding and managing the risks that we face in our business, including relating to cybersecurity, and the Board of Directors is responsible for overseeing management’s overall approach to risk management. On at least an annual basis, as part of our ERM process, the Board reviews the Company’s major risks, including risks related to cybersecurity and global information systems, along with potential options for mitigating these risks. The Board is informed of these risks through regular reports from our Chief Executive Officer, Chief Financial Officer and Chief Operating Officer (CFO), General Counsel and Chief Sustainability Officer, and other key members of senior management. Although the Board as a whole is ultimately responsible for risk oversight, the Board uses its committees to assist in its risk oversight function. The Audit Committee of our Board of Directors has primary responsibility for operation of the ERM program and risk management, business continuity planning and information systems infrastructure and cybersecurity risk. As a result, the Chair of the Audit Committee also provides periodic updates to the full Board on these matters as part of its committee reports. The Audit Committee generally receives quarterly cybersecurity and information systems infrastructure reports from either our Chief Information Officer (CIO) or our head of Global Cybersecurity and Compliance (Head of Cybersecurity), who reports to our CIO, and who oversees a global team responsible for our cybersecurity infrastructure. These reports cover various cybersecurity and information technology matters, including material risks and threat trends, mitigation strategies, security incidents, the status of information technology and cybersecurity priorities and initiatives and other related matters of importance. The Audit Committee provides periodic updates on these topics to the full Board as necessary. In addition to the above, the Audit Committee, typically in the presence of the full Board, will review the results of the independent cyber-maturity evaluations described above, and from time to time participates in table top exercises or other cybersecurity training programs. Our Head of Cybersecurity is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents through our key cybersecurity processes, discussed above, and, together with other lead members of the incident response teams, is responsible for informing senior leadership across the organization about any cybersecurity incidents that may occur. As a result, in addition to the regular updates referenced above, the Audit Committee and the full Board of Directors would also be promptly informed by the CFO and General Counsel of cybersecurity incidents in accordance with our security incident response procedures, as well as provided ongoing updates from lead members of the incident response teams, including the Head of Cybersecurity, regarding any such incidents in accordance with our incident response plan. Our Head of Cybersecurity has over 15 years of experience managing and leading information technology and cybersecurity teams. Subsequent to the end of our fiscal year, our CIO left the Company and, in the interim, our Head of Cybersecurity currently reports to our CFO who reports to our Chief Executive Officer.

Company Information