Barnes & Noble Education, Inc. 10-K Cybersecurity GRC - 2024-07-01

Page last updated on July 16, 2024

Barnes & Noble Education, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-07-01 16:46:02 EDT.

Filings

10-K filed on 2024-07-01

Barnes & Noble Education, Inc. filed a 10-K at 2024-07-01 16:46:02 EDT
Accession Number: 0001634117-24-000048

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Cybersecurity Risk Management and Strategic Approach The company’s information security program is meticulously crafted, integrating administrative, technical, and physical safeguards. Embracing a risk-based approach, we proactively mitigate cybersecurity risks to ensure the confidentiality, integrity, and availability of our information systems and data assets. This comprehensive framework extends to overseeing service-provider relationships, aligning with the specific risks associated with each engagement. Deploying a multi-tiered defense strategy, we fortify our defenses with layers of controls designed to identify, protect against, detect, respond to, and recover from cybersecurity incidents. Central to this effort is our Cyber Security Team, entrusted with the critical task of swiftly detecting, mitigating, and remediating cybersecurity threats. Guided by our documented incident response plans, we orchestrate a swift and decisive response, engaging functional areas, internal escalations, and stakeholders as dictated by the nature and severity of the incident. 31 Index to Form 10-K Index to FS Key to our cybersecurity resilience, we strategically leverage third-party expertise and tools to augment our defenses, ensuring a proactive stance against evolving threats. Rigorous assessments by third-party auditors validate the alignment of specific components of our technology environment with industry standards such as the Payment Card Industry Data Security Standards, ensuring robust compliance and resilience. Industry standards such as the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity inform our program and are the basis our compliance commitment. Regular maturity assessments, conducted by external experts, ensure that our cybersecurity program remains at the forefront of industry best practices, tailored to our unique operational landscape. Although cybersecurity threats are an inherent part of the digital landscape, we stand resilient. While past incidents have been swiftly addressed without material impact on our operations or financial standing, we remain vigilant. Our Enterprise Risk Management program recognizes the ongoing nature of cybersecurity risks and our commitment to mitigating potential impacts on our operations, business strategy, and financial health. Cybersecurity Governance Our Board of Directors, Audit Committee and Legal team oversee the cybersecurity processes of identifying and mitigating cybersecurity risks. Reporting directly to our Chief Information Officer, our Chief Information Security Officer (“CISO”) leads the charge, ensuring that our cybersecurity posture remains robust and adaptive. Through quarterly updates to the Audit Committee and periodic briefings to the Board of Directors, senior management keeps governance structures informed and aligned with our evolving cybersecurity landscape. With over a decade of dedicated service to BNED, our current CISO brings a wealth of experience and expertise to the organization, including over three decades of Information Technology (“IT”) experience. The last two decades have focused on IT security and innovative ways to manage and lead a security team. Previously, the CISO was the Director of IT Security and Infrastructure at The Children’s Place Inc. The CISO is experienced in deploying a Zero Trust framework, Identity and Access Management programs, Email and Web Gateways, managing IT compliance for SOX, PCI, and ADA and has developed and introduced new information security and computer risk management programs based on National Institute of Standards and Technology (NIST) Cybersecurity Framework across numerous platforms for multiple retail chains. Supported by a dynamic leadership team comprised of seasoned professionals, our cybersecurity initiatives are not just policies; they’re a testament to our commitment to securing customer information and upholding our privacy promises. Embedded in our Code of Conduct & Ethics and reinforced through our security awareness training program, cybersecurity awareness is not just a task; it’s a shared responsibility, woven into the fabric of our corporate culture.

Company Information