Bath & Body Works, Inc. 10-K Cybersecurity GRC - 2025-03-14

Page last updated on March 14, 2025

Bath & Body Works, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-14 16:19:39 EDT.

Filings

10-K filed on 2025-03-14

Bath & Body Works, Inc. filed a 10-K at 2025-03-14 16:19:39 EDT
Accession Number: 0000701985-25-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company has developed an information security program to address material risks from cybersecurity threats and incidents, which is integrated within its overall enterprise risk management program. The program includes policies and procedures that identify how security measures and controls are developed, implemented and maintained. Under the information security program, the Company performs one or more cyber risk assessments each year based on recognized industry best practices and standards and cyber threat intelligence. The risk assessments, together with risk-based analysis and judgment, are used to determine security measures and controls to address identified risks. The Company considers the following factors, among others, during its risk and control implementation assessments: the likelihood and severity of the risk; the impact on the Company, the Company’s customers, associates and stockholders, and others if a risk materializes; the feasibility and cost of security measures and controls; and the impact of security measures and controls on operations and others. The Company’s information security program currently includes the following security measures and controls, which are deployed as the Company deems applicable: - endpoint threat detection and response; - identity and access management; - privileged access management; - logging and monitoring involving the use of security information and event management; - multi-factor authentication; - firewalls and intrusion detection and prevention; - web application firewalls and bot security tools; and - vulnerability and patch management. All of the Company’s office-based associates and certain distribution and fulfillment center associates undergo mandatory security awareness training at the time of hiring and on an annual basis thereafter. The Company’s store-based associates receive ad hoc awareness communications and are provided with cybersecurity awareness materials as part of the store operating manual. The Company uses third-party security firms in different capacities to provide or operate certain security measures and controls and technology systems, including cloud-based platforms and services. For example, third parties are used to conduct assessments, such as vulnerability scans and penetration testing. The Company also uses a variety of processes designed to address cybersecurity threats and incidents related to the use of third-party technology and services, including pre-acquisition diligence, imposition of contractual obligations and performance monitoring. As part of the Company’s overall enterprise risk management program, the Company has developed business continuity and disaster recovery plans, which include measures designed to respond to potential disruptions to its information technology systems (or information technology systems of third parties on which it relies). The Company also maintains a written information security incident response plan and conducts tabletop exercises to enhance incident response preparedness. The Company is also a member of an industry cybersecurity intelligence and risk sharing organization. The Company (or third parties on which it relies) may not be able to fully, continuously and effectively implement security measures and controls as designed or intended. As described above, the Company utilizes a risk-based approach and judgment to determine the security measures and controls to implement, and it is possible that the Company may not implement appropriate security measures and controls if management does not recognize, or underestimates, a particular risk. In addition, security measures and controls, no matter how well designed or implemented, may only partially mitigate, but not fully eliminate, risks. Cybersecurity threats and incidents, even when detected or foreseeable, may not always be immediately understood or acted upon by the Company (or by third parties on which it relies). The Company, like many retailers, relies upon third-party service providers, such as payment processors, network providers and application providers, that have faced risks from threat actors and cybercriminal groups that seek to steal payment card data, consumer data, and other sensitive information; disrupt critical information technology systems; and/or demand ransom payments. Although the Company has implemented security measures and controls designed to address these risks, if these risks were to materialize, such as in the event of a cybersecurity incident causing the networks of a third-party payment processor to not be operational, the impact to the Company could be material. The Company has not identified risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, which have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations, or financial condition. However, the Company continues to face risks from cybersecurity threats and incidents that, if realized, may have such material effect. Despite its ongoing efforts, the Company cannot provide complete assurance that its information security program will be effective in detecting, preventing, or mitigating such cybersecurity risks. See also “We have undertaken a multi-year initiative to upgrade our digital and information technology systems and capabilities. We significantly rely on our, and our third-party service providers’, ability to successfully implement, upgrade and sustain information technology systems and to protect associated data and system availability” and “Any significant compromise or breach of our data security, including the security of customer, associate, third-party or Company information, could have a material adverse effect on our reputation, results of operations, financial condition and cash flows” in Item 1A. Risk Factors of this Annual Report on Form 10-K for a discussion of cybersecurity risks that could have a material impact on the Company, which sections should be read in conjunction with this Item 1C. The Company’s Chief Information Security Officer (“CISO”) is the member of the management team with primary responsibility for the development, operation and maintenance of the Company’s information security program. The CISO holds a master of science degree in information assurance and has over 20 years of cybersecurity experience with Fortune 500 financial, defense, consulting and retail companies. The Audit Committee oversees the Company’s information security program at the Board level. The Audit Committee, which is composed entirely of independent members of the Board, receives reports directly from the CISO at least three times per year regarding the Company’s information security program, including reports regarding items such as cybersecurity policies and practices, cybersecurity program resources, third-party assessments of the Company’s information security program, key risks related to the Company’s information security program and the Company’s security measures and controls. As described above, the Company maintains an information security incident response plan that includes processes and procedures for evaluating and escalating cybersecurity threats and incidents to, as determined to be appropriate, the Company’s executive management team and members of the Board. The initial impact level of each cybersecurity threat or incident is evaluated by a designated team of information security specialists using risk criteria that have been defined and approved by the Company’s executive management team and reviewed with the Audit Committee. If escalated, the threat or incident is evaluated by a cross-functional core and extended team, as applicable, of managers that includes the CISO and designated internal legal counsel with extensive cybersecurity experience, as well as identified associates from across the Company’s business and functions, as applicable. Cybersecurity threats and incidents are assigned incident impact levels based on the core team’s determination of potential impact to the Company. The core team employs defined risk criteria to classify incidents and escalate incidents accordingly. Based on the severity classification assigned by the core team, incidents may be escalated to, as applicable, representatives of the Company’s executive management team (which includes the Disclosure Committee), the Chairs of the Board and the Audit Committee, other members of the Audit Committee and/or the full Board. The Company has an Enterprise Risk Management function that oversees the identification, prioritization and mitigation of the Company’s enterprise risks, and cybersecurity is a risk category addressed by that function. The Company uses governance, risk and compliance tools designed to assess, identify and manage its cybersecurity risks.
Item 1C. The Company’s Chief Information Security Officer (“CISO”) is the member of the management team with primary responsibility for the development, operation and maintenance of the Company’s information security program. The CISO holds a master of science degree in information assurance and has over 20 years of cybersecurity experience with Fortune 500 financial, defense, consulting and retail companies. The Audit Committee oversees the Company’s information security program at the Board level. The Audit Committee, which is composed entirely of independent members of the Board, receives reports directly from the CISO at least three times per year regarding the Company’s information security program, including reports regarding items such as cybersecurity policies and practices, cybersecurity program resources, third-party assessments of the Company’s information security program, key risks related to the Company’s information security program and the Company’s security measures and controls. As described above, the Company maintains an information security incident response plan that includes processes and procedures for evaluating and escalating cybersecurity threats and incidents to, as determined to be appropriate, the Company’s executive management team and members of the Board. The initial impact level of each cybersecurity threat or incident is evaluated by a designated team of information security specialists using risk criteria that have been defined and approved by the Company’s executive management team and reviewed with the Audit Committee. If escalated, the threat or incident is evaluated by a cross-functional core and extended team, as applicable, of managers that includes the CISO and designated internal legal counsel with extensive cybersecurity experience, as well as identified associates from across the Company’s business and functions, as applicable. Cybersecurity threats and incidents are assigned incident impact levels based on the core team’s determination of potential impact to the Company. The core team employs defined risk criteria to classify incidents and escalate incidents accordingly. Based on the severity classification assigned by the core team, incidents may be escalated to, as applicable, representatives of the Company’s executive management team (which includes the Disclosure Committee), the Chairs of the Board and the Audit Committee, other members of the Audit Committee and/or the full Board. The Company has an Enterprise Risk Management function that oversees the identification, prioritization and mitigation of the Company’s enterprise risks, and cybersecurity is a risk category addressed by that function. The Company uses governance, risk and compliance tools designed to assess, identify and manage its cybersecurity risks.

Company Information