Burlington Stores, Inc. 10-K Cybersecurity GRC - 2025-03-17

Page last updated on March 17, 2025

Burlington Stores, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-17 17:16:35 EDT.

Filings

10-K filed on 2025-03-17

Burlington Stores, Inc. filed a 10-K at 2025-03-17 17:16:35 EDT
Accession Number: 0000950170-25-040472

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Governance and Oversight Cybersecurity represents an important component of the Company’s overall cross-functional approach to risk management. Our cybersecurity practices are integrated into the Company’s enterprise risk management (ERM) approach, and cybersecurity risks are among the core enterprise risks identified for oversight by the Board through our annual ERM assessment. While the Board is ultimately responsible for risk oversight, the Audit Committee oversees the overall review of our policies and procedures with respect to risk assessment and risk management, and has oversight of information technology and security matters, which includes cybersecurity strategies and risks, as well as data privacy and data protection (Information Security). The Audit Committee oversees 18 the management of risks from cybersecurity threats, including the policies, processes, and practices that the Company’s management implements to address risks from cybersecurity threats. On a quarterly basis, our Chief Information Officer (CIO) and Chief Information Security Officer (CISO) report to the Audit Committee on our Information Security program, including presentations and reports on cybersecurity risks, which address a wide range of topics including, for example, recent developments, security initiatives, vulnerability assessments, the threat environment, technological trends, and information security considerations arising with respect to the Company’s peers and vendors; recent cybersecurity-related developments; strategic activities; and the execution of our cybersecurity awareness training. In turn, the chair of the Audit Committee reports out to the full Board on a quarterly basis regarding these matters, among other matters addressed by the Audit Committee. Management utilizes a cross-functional approach designed to address the risk from cybersecurity threats, involving senior management personnel from the technology, operations, legal, risk management, internal audit and other key business functions, as well as members of the Company’s Board and the Audit Committee of the Board. The Company’s CIO, with support from our CISO and the other members of the cybersecurity team , is the member of the Company’s management that is principally responsible for overseeing the Company’s cybersecurity risk management program. The CIO, in coordination with the CISO, works to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to cybersecurity incidents. To facilitate the success of this program, the cybersecurity team works to address cybersecurity threats and respond to cybersecurity incidents in accordance with the Company’s written incident response plan. The CISO and cybersecurity team regularly meet to monitor the prevention, detection, mitigation and remediation of cybersecurity incidents, and the CISO consults with the CIO and executive management, including the Chief Executive Officer, to report such incidents to the Audit Committee and the Board and initiate a response to incidents when appropriate. We believe our cybersecurity team, led by our CISO, has the appropriate expertise, background and depth of experience to manage risks arising from cybersecurity threats. Our CISO is a credentialed and industry-recognized security executive with over 20 years’ experience in healthcare, government and the private sector implementing enterprise cybersecurity and privacy programs, building high performing teams, creating a risk-aware culture, managing cybersecurity incidents, and communicating cyber risks to boards of directors. He holds a Master degree in Computer Engineering and has obtained certifications, including Certified Information Security Manager and Certified Information Systems Security Professional. Prior to joining Burlington, the CISO served as the CISO at Hospital for Special Surgery for 6 years and as a CISO at NYC Health+Hospitals for 4 years. Our CISO reports to our CIO, who has more than 25 years of information technology leadership experience. Together our CIO and CISO have decades of leadership experience in information technology, cybersecurity and retail. Risk Management We have created a cybersecurity program that endeavors to prevent, detect, contain and respond to material risks from cybersecurity threats and incidents and integrate cybersecurity risk into our enterprise risk management framework and activities. Our program consists of policies and procedures for identification, assessment, remediation, response, and reporting of cybersecurity threats and incidents. The cybersecurity program is a part of our company’s ERM framework and activities. The cybersecurity program employs a risk-based approach and draws upon a combination of industry standard frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Payment Card Industry Data Security Standard (PCI DSS). Our cybersecurity risk management approach and processes are designed to manage risks from cybersecurity threats associated with our use of third-party service providers, ranging from vendor cyber vetting to conducting security assessments and monitoring activities. We also operate an employee awareness and training program to help ensure all relevant associates are equipped to recognize and respond to potential threats. Additionally, we leverage threat intelligence technologies to inform our response posture to potential emerging threats to our digital business infrastructure and systems. Furthermore, we engage with third-party cybersecurity consultants and technology vendors to assess our cybersecurity program and test our technical capabilities. The Company also carries information security risk insurance that is designed to mitigate against certain potential losses arising from a cybersecurity incident. To date, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. As further discussed in Item 1A, Risk Factors, if we are unable to protect our information systems against service interruption, misappropriation of data, breaches of security, or other cyber-related attacks, our operations could be disrupted, we may suffer financial losses and our reputation may be damaged.

Company Information