1 800 FLOWERS COM INC 10-K Cybersecurity GRC - 2024-09-06

Page last updated on September 6, 2024

1 800 FLOWERS COM INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-06 09:30:04 EDT.

Filings

10-K filed on 2024-09-06

1 800 FLOWERS COM INC filed a 10-K at 2024-09-06 09:30:04 EDT
Accession Number: 0001437749-24-028591

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy In the ordinary course of our business, we utilize technology systems to collect, use, store, and transmit information. The confidentiality, integrity, and availability of the information in our systems is important to our operations, business strategy, and maintaining the trust of our customers, employees and partners. As part of our enterprise risk management program, we have processes in place to identify, assess, and manage material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. Our cybersecurity team engages with applicable personnel across the enterprise and utilizes software tools to identify, categorize, and quantify material cybersecurity threat risks. The team meets regularly to consider new, known, and evolving risks and evaluate the measures in place to mitigate these risks. Our strategy for managing cybersecurity risk is multifaceted and includes, without limitation: (i) robust security policies and procedures, designed in part to comply with Payment Card Industry, or PCI, rules; (ii) an incident response plan, (iii) comprehensive system security elements and vulnerability scanning; (iv) periodic cybersecurity awareness training and testing for employees and certain contractors; (v) risk management of our third-party suppliers, vendors, and other partners, which includes risk-based diligence and contractual provisions that generally allow for periodic auditing, and (vi) security assessments of any businesses that we acquire. As part of our cybersecurity risk management program, we periodically engage third parties to evaluate and test our systems, run tabletop exercises to test our incident response processes, provide incident response support if needed, and review our PCI compliance. We face ongoing risks that, if realized, could materially impact our business, operations and financial results. See our risk factor disclosures in Item 1A of this Annual Report on Form 10-K under the heading “Information Technology and Systems,” which are incorporated by reference herein. To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the company, including our business strategy, results of operations, or financial condition. Governance The Board of Directors of the Company (the “Board”), as a whole and through its committees, oversees the Company’s risk management process, including operational, financial, legal, strategic, marketing and brand reputation risks. The Technology and Cybersecurity Committee of the Board (the “Committee”) oversees risk management associated with the Company’s information technology use and protection, including data governance, privacy, compliance, and cybersecurity. The Committee comprises Board members with particular expertise in technology and management, equipping them to oversee cybersecurity risks effectively. The Committee is responsible for the oversight of the Company’s policies and procedures intended to provide security, confidentiality, availability, and integrity of the Company’s information, including with respect to data privacy and the Company’s compliance with applicable data privacy and cybersecurity laws and regulations. The Committee also oversees the quality and effectiveness of the Company’s policies and procedures with respect to its information technology systems and provides oversight on the Company’s policies and procedures in maintaining preparedness for responding to any material incidents. The Committee also periodically coordinates with the Company’s Audit Committee, which reviews risks related to the Company’s information technology systems, including privacy, network security and data security. The Company’s program to identify, assess, and manage cybersecurity risks is led by our Chief Information Officer, and leverages the expertise of our Chief Financial Officer and General Counsel. Our Chief Information Officer holds a Bachelor of Science in Computer Science and has over 30 years of work experience, with more than 20 years in senior executive roles involving managing information systems, including implementing effective information and cybersecurity programs. Our Chief Information Officer, who reports to our Chief Executive Officer, meets regularly with the executive leadership team regarding topics related to technology operations, including cybersecurity, and also periodically updates the Board and the Committee regarding the Company’s cybersecurity and data privacy risk mitigation plans. With respect to the prevention, detection, mitigation, and remediation of cybersecurity incidents, our information security team, under the direction of our Chief Information Officer, monitors our information systems, assesses the severity of any incidents it detects or that are otherwise reported, and follows escalation procedures embedded within our incident response plan to inform the Chief Information Officer, other members of management, the Committee, and the Board, each as needed.

Company Information