NIKE, Inc. 10-K Cybersecurity GRC - 2024-07-25

Page last updated on July 25, 2024

NIKE, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-07-25 16:16:58 EDT.

Filings

10-K filed on 2024-07-25

NIKE, Inc. filed a 10-K at 2024-07-25 16:16:58 EDT
Accession Number: 0000320187-24-000044

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY At NIKE, cybersecurity risk management is an important part of our overall risk management efforts. We have cybersecurity processes, technologies and controls in place to aid in our efforts to assess, identify and manage material risks associated with cybersecurity threats. We assess cybersecurity risk at both the board and management levels. Management’s Role in Managing Risk At the management level, primary responsibility for assessing and managing material risks from cybersecurity threats rests with our Vice President, Corporate Information Security, Risk & Compliance (“VP, CIS”). Our VP, CIS has over two decades of experience in information technology and cybersecurity. The VP, CIS reports to our Chief Information Officer (“CIO”) who has significant experience leading technology teams at large public companies and our CIO reports to our Chief Technology Officer. Our approach to managing cybersecurity risk is informed by the industry-standard National Institute for Standards and Technology Cybersecurity Framework. The VP, CIS has primary responsibility for implementing and overseeing our enterprise-wide cybersecurity strategy, policy, architecture and processes. We use various tools and methodologies to identify and manage cybersecurity risk, including risk assessments and a vulnerability management program that includes periodic penetration testing. We have a third-party cyber risk management program that conducts assessments on third parties who integrate with our data, network, systems and applications. These tools and methodologies inform our remediation activities, which are tracked and reported to senior management. In addition, our internal audit function periodically conducts independent testing of the overall operations of our cybersecurity program and supporting control frameworks, and reports the results to the Audit & Finance Committee. We also engage third parties to assess our cybersecurity program maturity and to perform audits of portions of our cybersecurity control environment based on risk or where necessary to ensure regulatory compliance. Our cybersecurity team meets frequently to monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents. In the event of a cybersecurity incident, we have an incident response plan that governs our immediate response including detection, escalation, assessment, management and remediation. As part of incident response, the cybersecurity team will also coordinate with external advisors and other key stakeholders as needed. The cybersecurity team routinely tests this plan across the organization to validate the procedures for appropriately escalating potentially material cybersecurity risks and incidents. Also, we provide an annual, mandatory cybersecurity training program for employees that is intended to help them understand cybersecurity risks and comply with our cybersecurity policies. Board Oversight Our Board of Directors has ultimate oversight of cybersecurity risk as part of its risk management oversight responsibilities, including with respect to cybersecurity risk priorities, resource allocation and oversight structures. The Board of Directors receives an update on our cybersecurity program on an annual basis, or more frequently as determined to be necessary or advisable. The Board of Directors has delegated risk management oversight responsibility for information security and data protection to the Audit & Finance Committee, which regularly reviews our cybersecurity program and related matters with management and reports to the Board of Directors. Topics discussed at the board level include our approach to cybersecurity risk management, key initiatives, the threat landscape and recent developments and trends. The Board of Directors is aware of the critical nature of managing risks associated with cybersecurity threats and is actively engaged in our cybersecurity risk management strategy. Risks from Cybersecurity Threats Even though, to date, cybersecurity risks have not materially affected our business or our results of operations, we face numerous and evolving cybersecurity threats. There can be no assurance that we, or the third parties with which we interact, will not face a cybersecurity incident in the future that will materially affect us. For more information about the cybersecurity risks we face, see the risk factor entitled “We rely significantly on information technology to operate our business, including our supply chain and retail operations, and any failure, inadequacy or interruption of that technology could harm our ability to effectively operate our business” in Item 1A. Risk Factors. 2024 FORM 10-K

Company Information