Under Armour, Inc. 10-K Cybersecurity GRC - 2024-05-29

Page last updated on July 16, 2024

Under Armour, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-29 16:38:44 EDT.

Filings

10-K filed on 2024-05-29

Under Armour, Inc. filed a 10-K at 2024-05-29 16:38:44 EDT
Accession Number: 0001336917-24-000073

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We recognize the importance of protecting consumer and employee data and maintaining the safety and security of our information systems. We identify, assess and manage material risks on an enterprise basis through our global enterprise risk management (“ERM”) program. We maintain a cybersecurity program designed to detect, identify, classify and mitigate cybersecurity and other data security threats, which is aligned to and informed by our ERM program. Our cybersecurity program takes into consideration, among other things, compliance requirements, risks to our revenue channels, risks posed by third-party engagements, consumer and employee data security and global enterprise security. We engage independent third parties to conduct regular penetration testing and targeted security audits of our information systems. In addition, we engage a third-party vendor to conduct 24/7 monitoring of cybersecurity alerts. In the event we identify or are notified of a potential cybersecurity, privacy or other data security incident, we have a data incident response plan that defines procedures for responding to such incidents, including when and how to engage with our executive leadership team, our Board of Directors, other stakeholders and law enforcement, as applicable. We also maintain cyber liability insurance to help defray any financial losses arising out of a cyber security incident; our insurance, however, may not cover all types of cybersecurity incidents or all losses that we incur. We have adopted, and periodically review and update, information security and privacy notices, policies and procedures. We maintain annual cybersecurity and data privacy training for all employees with access to our corporate systems. In addition, as part of our Payment Card Industry Data Security Standard compliance, we maintain annual role-based training on protecting payment card information for all relevant employees. We conduct proactive incident preparedness activities focused on cybersecurity risks and business continuity, such as annual table-top exercises with our senior management, as well as periodic phishing simulations to test our employees’ responses to suspicious emails. We utilize third-party service providers as a part of our day-to-day business operations. Certain of the networks and systems used to conduct our operations are managed by such third-party service providers and are not under our direct control. To address cybersecurity risk to our operations arising from our relationships with third-party service providers, we maintain a third-party risk management program, which includes cybersecurity and data privacy assessments during vendor onboarding to identify and classify risk based on several factors, including the type of data handled by the third-party service provider and the potential impact to our business if there were a significant disruption to the third-party service or system. Governance Our Board has delegated primary responsibility to oversee the management of risks related to information technology use and protection, including cybersecurity and data privacy, to the Audit Committee, while retaining oversight of management’s overall approach to risk management. The Audit Committee receives regular reports regarding our cybersecurity risks through two annual briefings by senior management, including our Chief Information Security Officer (“CISO”) and head of data privacy, and additional periodic updates as appropriate. In addition, members of our management team conduct an enterprise-wide internal risk assessment through our ERM program that is updated annually and reviewed and discussed by the Audit Committee. This risk assessment is designed to identify our most material risks, including cybersecurity risks, for evaluation and monitoring. At each Board meeting, the chairperson of the Audit Committee and the Corporate Secretary report on the Audit Committee’s activities, including risk management, which provides an opportunity to discuss significant cybersecurity risks with the full Board. Our CISO leads our global cybersecurity team and is responsible for our cybersecurity program. Our current CISO has served in various roles in information technology and information security for over twenty years, including at our Company since 2013. He holds an MBA and a Certified Information Systems Security Professional certification. Our CISO reports to our Chief Technology Officer, who reports to our Chief Executive Officer. Impact of Cybersecurity Risks on Strategy and Results As of the date of this Annual Report on Form 10-K, we have not identified any risks from cybersecurity threats. including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business, including our business strategy, results of operations or financial condition. However, we and our third-party service providers continue to experience cyberattacks, including phishing, ransomware and other attempts to gain unauthorized access to our and their systems, that could materially affect us in the future. For additional information regarding the threats we face, see “Risk Factors-Business and Operational Risks- If we encounter problems with our distribution system, our ability to deliver our products to the market could be adversely affected “; " -We rely significantly on information technology and any failure, inadequacy or interruption of that technology could harm our ability to effectively operate our business “; and “-Legal, Regulatory and Compliance Risks- Data security or privacy breaches could damage our reputation, cause us to incur additional expense, expose us to litigation and adversely affect our business and results of operations " included in Part I, Item 1A of this Annual Report on Form 10-K.

Company Information