Designer Brands Inc. 10-K Cybersecurity GRC - 2025-03-24

Page last updated on March 24, 2025

Designer Brands Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-24 16:07:41 EDT.

Filings

10-K filed on 2025-03-24

Designer Brands Inc. filed a 10-K at 2025-03-24 16:07:41 EDT
Accession Number: 0001319947-25-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY RISK MANAGEMENT AND STRATEGY We have developed an information security program that is designed to address material risks from cybersecurity threats. Our information security program is integrated into our overall enterprise risk management process, which the Board ultimately oversees. The Board has delegated its responsibility for cybersecurity risk oversight to the Technology Committee of the Board, which is responsible for (i) regularly reviewing with management significant cybersecurity, privacy, artificial intelligence, and IT risks or exposures, and our policies and processes with respect to risk assessment and risk management of the same; (ii) regularly reviewing with management an assessment of the steps management has taken to monitor and control such risks; and (iii) regularly reporting to the full Board on such matters. As described in further detail below, our information security program is led by our Director of IT Security & Compliance (“DITSC”) , who is responsible for our overall information security strategy, policy, security engineering, operations, and cyber threat detection and response. The program includes policies and procedures that guide our implementation and maintenance of security measures and controls. Risk-based analysis and judgment of the DITSC and our management team, along with feedback from internal and third-party audits and assessments, are used to select security controls to address risks. The following factors, among others, are considered when identifying security controls: likelihood and severity of a risk, impact on the Company and others if a risk materializes, feasibility of controls, and impact of controls on operations and others. Third parties also play a role in our cybersecurity, as we engage security firms in different capacities to provide or operate some of these controls and technology systems, including cloud-based platforms and services. For example, third parties are used to conduct assessments, such as vulnerability scans and penetration testing. We use a variety of processes to address and oversee cybersecurity threats related to the use of third-party technology and services, including a vendor risk management program. We have a written incident response plan and conduct tabletop exercises to enhance incident response preparedness. We have other response protocols to address operating impacts due to disruptions in services and technology, including scenario run books and mitigation plans for key vendors. Employees undergo security awareness training when hired and annually. 17 Table of contents GOVERNANCE The DITSC is the Company’s management position with primary responsibility for the development, operation, and maintenance of our information security program. The DITSC offers over 20 years in cybersecurity expertise, cultivated through service in the United States Air Force and subsequent roles in both public and private sectors across diverse industries. The DITSC has obtained multiple industry specific certifications, including the Certified Information Systems Security Professional and Certified Information Security Manager. The DITSC briefs the Technology Committee of the Board regularly and oversees regular cybersecurity training and education opportunities for the Board, which covers topics ranging from the current threat landscape to our cybersecurity program metrics, risks, and roadmap. Management receives regular updates on cybersecurity risks from the DITSC. In the event of a security incident, the DITSC will follow the escalation process in our incident response plan to notify the Company’s Crisis Committee, which is composed of a cross-functional group of Company leaders. The Crisis Committee will work with the DITSC to respond to and remediate any actual cybersecurity incidents. Depending on the severity of the security incident, the DITSC and the Crisis Committee are to escalate the security incident to the Company’s General Counsel and the Principal Accounting Officer, who will assess materiality in consultation with outside counsel. The General Counsel will notify the Technology Committee and the Board of any potential material incident. As of the date of this report, the Company has not identified risks from known cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. However, there can be no assurance that the Company, or third parties on which it relies, will not experience a cybersecurity threat or incident in the future, and we continue to closely monitor cyber risk. We may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. Risk factors for a discussion of cybersecurity risks.

Company Information