LEVI STRAUSS & CO 10-K Cybersecurity GRC - 2025-01-29

Page last updated on January 29, 2025

LEVI STRAUSS & CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-01-29 16:06:30 EST.

Filings

10-K filed on 2025-01-29

LEVI STRAUSS & CO filed a 10-K at 2025-01-29 16:06:30 EST
Accession Number: 0000094845-25-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk Management and Strategy We are heavily dependent on information technology systems and networks, including the Internet, third-party services and artificial intelligence, across our supply chain, including for product design, production, forecasting, ordering, manufacturing, transportation, sales, and distribution, as well as for processing financial information, external and internal reporting purposes, retail operations and other business activities. We maintain a comprehensive process for assessing, identifying and managing material risks from cybersecurity threats, including, but not limited to, risks from ransomware attacks, security breaches, cyber-attacks or other malicious activities by hackers, criminal groups, nation-states and nation-state-sponsored organizations and social-activist organizations, computer viruses or other malicious codes, unauthorized access, phishing attacks or unauthorized uses, as part of our overall risk management framework and processes. Our risk management framework considers cybersecurity risks alongside other company risks to evaluate their nature and severity, as well as to identify mitigations and assess the impact of those mitigations on residual risk. We maintain a comprehensive cybersecurity and information security framework that includes risk assessment and mitigation through a threat intelligence-driven approach, application controls and enhanced security with ransomware defense. The framework leverages the National Institute of Standards and Technology (NIST) Cyber Security Framework 2.0, as well as other standards. We utilize policies, software, training programs and hardware solutions to protect and monitor our environment, including multifactor authentication, firewalls, intrusion detection and prevention systems, vulnerability and penetration testing, identity management, security information and event management systems and insider threat management systems. We also carry insurance that provides protection against certain potential losses arising from a cybersecurity incident . Our policies require that certain of our employees and contractors complete mandatory security awareness training upon hire or engagement and annually thereafter. The training covers essential topics such as phishing awareness, password security, data protection, social engineering, physical security and compliance requirements. Additionally, targeted training is provided based on roles, responsibilities and access levels to ensure relevance and effectiveness. The awareness and training program also includes practical exercises, such as simulated phishing attacks, to reinforce training objectives and improve understanding of security vulnerabilities. We also participate in a variety of initiatives and groups for collaboration and for increasing our security knowledge and awareness. Our cybersecurity risk management processes include a third-party risk management program that assesses risks from vendors and suppliers. The program includes cybersecurity and data privacy assessments during vendor onboarding to identify and classify risk based on several factors, including the type of data handled by the third-party service provider and the potential impact to our business if there were a significant disruption to the third-party service or system. We maintain a robust Cybersecurity Incident Response Program intended to help us respond to an incident, prevent or minimize system disruption or the loss of data, recover business-critical services and facilitate compliance with any applicable legal obligations. Our program includes a written response plan that provides a framework for handling cybersecurity incidents based on the severity of the incident and the formation of a cross-functional incident response team staffed in accordance with the relevant severity level. The plan also sets out a coordinated approach to assessing the severity of potential and actual incidents and their impacts, containing, investigating, documenting, mitigating and remediating incidents, including reporting findings and keeping senior management, the Board of Directors and other key stakeholders and third parties (such as insurance providers and incident response professionals) informed and involved as appropriate. Our cybersecurity team regularly tests our cybersecurity controls through penetration testing, vulnerability scanning, and attack simulation. Additionally, in connection with our cybersecurity risk management processes, we engage consultants, including outside counsel, to review our processes or programs, benchmark and opine on best practices. We conduct tests on our ecommerce sites to identify control gaps and prioritize process improvements that align with our business and cybersecurity strategy. We also periodically engage a third-party independent review of our cybersecurity program against the NIST Cybersecurity Framework 2.0 to provide an independent assessment and perspective measured against industry standards. In addition, members of senior management participate in periodic tabletop exercises with third-party experts on crisis management best practices to apply their learnings to the company’s business continuity, enterprise risk and cybersecurity programs. Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats as a result of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents. See “Risk Factors” in Item 1A of this Annual Report on Form 10-K for more information on risks from cybersecurity threats that are reasonably likely to materially affect our business strategy, results of operations and financial condition. Governance Management Our cybersecurity strategy is developed in close collaboration with business stakeholders and is led by our Chief Information Security Officer (CISO). This strategy forms the foundation of our information security programs and supports effective cybersecurity risk management. Cybersecurity risk management is the responsibility of our information security team, which is overseen by our CISO. Our cyber fusion team, a subset of the information security team, is responsible for incident response, endpoint security management, detection engineering, vulnerability management, and threat intelligence. The cyber fusion team partners with technology and business stakeholders to strengthen the resiliency of our systems. Our CISO is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents pursuant to the escalation procedures in our Cybersecurity Incident Response Plan. As described above, for incidents assessed at elevated severity levels, our CISO, crisis management team and legal team promptly engage a cross-functional incident response team to assess and monitor the incident to comply with applicable legal requirements. Our CISO has served in this position since 2021 and has over two decades of experience in developing robust security programs across various industries. His previous positions include Deputy CISO for the Federal Reserve System, Chief Business Security Officer at ADP and cybersecurity leadership roles at Equifax. Before joining Equifax, he held positions in information security, compliance and internal audit at McKesson Corporation, Fifth Third Bank and AT&T. He also holds numerous industry certifications and serves as the Board Secretary of the Retail & Hospitality Information Sharing and Analysis Center. Board of Directors The Audit Committee of the Board of Directors is primarily responsible for the oversight of risks from cybersecurity threats. This includes the responsibility for reviewing and discussing with management and the Board of Directors our information technology use and protection, including, but not limited to, data governance, privacy, IT risks, compliance, cybersecurity and significant legislative and regulatory developments that could materially impact us, as well as the evaluation with management of the implementation and effectiveness of our controls to monitor and mitigate these risks and the oversight for any investigations related to specific cybersecurity or technology incidents. To fulfill this responsibility, the Audit Committee receives regular reports about cybersecurity risks from our CISO, and receives updates more often as needed, including in the event of a significant cybersecurity incident in accordance with our Cybersecurity Incident Response Plan. These regular reports periodically include information regarding the implementation and administration of the registrants cybersecurity processes, cybersecurity governance processes, status of projects relating to cybersecurity, cybersecurity matters relating to any particular products or services, summaries of any material cybersecurity threats or incidents and responses thereto, regulatory updates, updates on cybersecurity trends and the results of any assessments performed by internal stakeholders or third-party advisors. Our Board of Directors retains responsibility for the oversight of our overall risk management systems and processes and our CISO provides periodic reports to the full Board of Directors on cybersecurity risk. The Board of Directors also participates in educational sessions relating to cybersecurity matters.

Company Information