TAPESTRY, INC. 10-K Cybersecurity GRC - 2024-08-15

Page last updated on August 15, 2024

TAPESTRY, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-15 16:01:33 EDT.

Filings

10-K filed on 2024-08-15

TAPESTRY, INC. filed a 10-K at 2024-08-15 16:01:33 EDT
Accession Number: 0001116132-24-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company manages strategic, operational and external risks, including cybersecurity risk, through the Enterprise Risk Management (“ERM”) program which has direct involvement from the Board, the Audit Committee of the Board (the “Audit Committee”), and Senior Management. Our ERM program provides a framework whereby management conducts a comprehensive annual enterprise risk assessment to identify and prioritize the most critical risks facing the Company, as well as emerging risks, and the development and reporting of risk mitigation strategies. Through this process, we have identified cybersecurity as a risk management priority. The Company has a comprehensive cybersecurity risk assessment program that systematically identifies, analyzes and evaluates potential threats and vulnerabilities that may impact the confidentiality, integrity, and availability of the Company’s information systems and data. This program includes governance structure, risk identification, risk analysis, risk management, and risk communication and reporting. On a periodic basis, the Company engages independent third-party subject matter experts to conduct a cybersecurity maturity assessment based on the National Institute of Standards Technology framework, focused on risk assessment, global payment card industry audits, and compliance audits to help identify gaps and improve existing processes. In addition, the Company has a cybersecurity risk program that includes policies and procedures around onboarding of third-parties, contractual agreement review, risk assessment and on-going monitoring of high-risk vendors. The Company also has several tools and processes in place to actively prevent, detect and manage cybersecurity incidents. This includes: - Vulnerability Management - continuous scanning of the technology environment to identify and remediate potential vulnerabilities. - Attack Surface Management - actively monitor and prevent external attack attempts. - Security Monitoring and Operations - collection and aggregation of security alerts that are reviewed, analyzed and managed by the security operations team. - Threat Intelligence - gathering and analyzing information about current and emerging cyber threats. - Incident Response - incorporating detection and recovery processes, defining roles and responsibilities across the Company, establishing communication protocols and escalation procedures, including performing tabletop exercises. - Disaster Recovery and Business Continuity Plans - covering both technology and business areas globally with annual exercises to validate processes. - Cybersecurity Awareness - educating employees and third-party service providers on best practices for protecting the Company from cyber threats, which includes providing annual security and privacy industry-specific training to employees as well as conducting period phishing simulations to test their awareness. We are continuously enhancing our cybersecurity framework in response to the ongoing incidents and threats that we face. Cybersecurity is a key component of the Company’s risk mitigation strategy. As such, a multi-year cybersecurity strategy and roadmap are developed and incorporated into Tapestry’s long range planning and capital allocation process. During the three fiscal years presented within this Form 10-K, our results of operations and financial condition have not been materially affected by cybersecurity risks and incidents. For a detailed discussion of significant risk factors regarding cybersecurity threats, refer to Item 1A - “Risk Factors - Risks Related to Information Security and Technology.” 28 Governance Our Board has active oversight of risk management, which includes cybersecurity. Several members of our Board have cybersecurity experience gained through direct responsibilities, oversight or other relevant education and experience. Our Board has delegated primary responsibility of cybersecurity risk to the Audit Committee. The Chief Information Security Officer (“CISO”) and Chief Information Officer (“CIO”) provide quarterly updates to the Audit Committee on information security, privacy risk and compliance, with updates to the Board at least annually. Our CISO manages the Company’s cybersecurity compliance program, including prevention, mitigation, detection and remediation of cybersecurity incidents. Our CISO, who reports directly into the CIO, has over 30 years of experience in information technology and cybersecurity and holds multiple industry certifications. The Company has an Information Governance, Privacy & Security Committee responsible for management oversight of cybersecurity risk, which includes the CISO and key members of management and meets quarterly. As part of our cyber incident response plan, our CISO is responsible escalating certain cybersecurity incidents to relevant senior management, along with several stakeholders, who then convene to evaluate the materiality of such incident using a list of quantitative and qualitative guidelines. In addition, outside advisors would be engaged as deemed necessary. The CEO, CFO, and Board are informed if the incident is deemed potentially material.

Company Information