Revolve Group, Inc. 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

Revolve Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 16:30:28 EST.

Filings

10-K filed on 2025-02-25

Revolve Group, Inc. filed a 10-K at 2025-02-25 16:30:28 EST
Accession Number: 0000950170-25-026748

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk Management and Strategy We have implemented policies and processes to evaluate and manage cybersecurity risks, incorporating them into our broader risk management framework. We regularly examine cybersecurity threats that could compromise our information systems’ security or data. Every quarter we evaluate our cybersecurity posture and reassess whether significant changes in our business could impact our digital infrastructure. These assessments aim to identify potential internal and external threats, estimate their probability and possible impact, and gauge the effectiveness of our current policies and processes in mitigating these threats. Following these risk assessments, we evaluate whether and, if so, how to re-design, implement and maintain reasonable safeguards to minimize identified risks and reasonably address any identified gaps in existing safeguards. We also regularly monitor the effectiveness of our safeguards. We devote significant resources and designate high-level personnel, including our chief architect, who reports to our co-chief executive officer, to manage the risk assessment and mitigation process. We regularly check and improve our security measures and educate our employees about them with the help of our information technology team. Key personnel are made aware of our cybersecurity policies through trainings. We engage third parties in connection with our risk assessment processes. We require all external service providers who may impact our cybersecurity risks to certify that they can set up and maintain proper security consistent with all applicable laws, manage security effectively for their work with us, and quickly inform us if they think their security has been breached. We have never experienced a cybersecurity incident that was determined to be material, although, like many technology-dependent companies operating in the current environment, we have experienced cybersecurity incidents in the past. For additional information regarding whether any risks from cybersecurity threats are reasonably likely to materially affect our company, including our business strategy, results of operations or financial condition, please see the section titled “Risk Factors.” 50 Governance One of the key functions of our board of directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our board of directors monitors and assesses strategic risk exposure, and our executive officers manage the material risks we face. Our board of directors administers its cybersecurity risk oversight function directly as a whole and through the audit committee. We have established a cybersecurity committee, composed of members of senior management, to provide guidance, management and oversight of our cybersecurity and data responsibility initiatives and risk assessment and mitigation protocols, including those described in the “Risk Management and Strategy” section above. Our chief architect, who has over 15 years of experience in software engineering and has served as our chief architect for eight years, is a member of our cybersecurity committee and works to manage our cybersecurity policies and processes. Our chief architect and cybersecurity committee stay informed and manage how we identify, address, prevent and resolve cybersecurity issues and related matters. This is done through regular checks of our systems, tests to identify security weaknesses and maintaining our incident response plan. Our chief architect and the cybersecurity committee are responsible for our cybersecurity rules and methods, like those described in the “Risk Management and Strategy” section. They stay updated and track how we prevent, identify, lessen and address cybersecurity issues. This is done through regular checks of our systems, tests to find security weaknesses and having a plan ready to respond to any incidents. In addition to regular meetings and participation on the cybersecurity committee, the chief architect and co-chief executive officer regularly discuss active, emerging and potential cybersecurity risks. They keep each other informed about significant changes affecting cybersecurity , and they periodically update our board of directors or the audit committee about these changes as well as our cybersecurity risks, so that our board of directors can administer its oversight function as part of its broader oversight and risk management.

Company Information