G III APPAREL GROUP LTD /DE/ 10-K Cybersecurity GRC - 2025-03-24

Page last updated on March 24, 2025

G III APPAREL GROUP LTD /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-24 16:32:02 EDT.

Filings

10-K filed on 2025-03-24

G III APPAREL GROUP LTD /DE/ filed a 10-K at 2025-03-24 16:32:02 EDT
Accession Number: 0001558370-25-003540

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Risk Management and Strategy We have robust programs in place for assessing, identifying and managing material risks from cybersecurity threats. Our approach leverages a comprehensive suite of security tools and initiatives, including but not limited to, Managed Security Service Providers, Extended Detection and Response monitoring, internal reporting mechanisms, and advanced detection and monitoring tools. Our information security program is continuously evaluated through internal audits and a range of security exercises, including tabletop simulations, penetration testing, vulnerability assessments and red team exercises. Identified security gaps from these assessments are systematically integrated into our risk remediation processes and incorporated into our security tools and applications to enhance our overall cybersecurity policies and procedures. In addition, we conduct annual Payment Card Industry Data Security Standard compliance reviews and independent third-party penetration testing to ensure our defenses remain resilient and aligned with industry best practices. Our global cybersecurity team is composed of multidisciplinary Information Technology (“IT”) professionals from key regions, led by our Global Director of Cybersecurity. This team is responsible for providing comprehensive reporting to executive management and auditors, covering cybersecurity threats, assessments, findings and strategic direction for future improvements. We ensure continuous endpoint monitoring in collaboration with a third-party cybersecurity firm. For high or critical severity incidents, rapid response protocols are in place, including isolation, segmentation and forensic analysis by our cybersecurity team. Additionally, we have engaged a dedicated third-party threat hunter to assist in identifying Indicators of Compromise. Our Global Director of Cybersecurity leads a quarterly cybersecurity governance meeting, bringing together IT teams from all subsidiaries. This meeting serves as a forum to review ongoing and upcoming security initiatives, regulatory compliance and industry best practices. We conduct an annual tabletop exercise facilitated by an external cybersecurity specialist. This exercise simulates various attack scenarios, testing our incident response plans and procedures to ensure effective threat detection, mitigation and remediation. It also evaluates potential business impacts, including business continuity, backup strategies, data protection, compliance, and regulatory requirements such as GDPR, CCPA and PCI. Participants include IT leadership, finance, legal, insurance, and operations teams across all subsidiaries, ensuring a coordinated and well-prepared response to cybersecurity threats. Our cybersecurity resilience is further strengthened through annual penetration testing performed by a leading third-party firm. This assessment includes external and internal penetration testing, Wi-Fi security evaluations, social engineering exercises and physical access testing. We leverage a vulnerability management platform to maintain comprehensive asset visibility, systematically identify risks and prioritize remediation efforts. Additionally, all corporate employees with system access must complete annual data protection and cybersecurity training to reinforce security awareness and compliance. Our third-party IT vendors undergo independent audits to validate their compliance with System and Organization Controls (“SOC”) 1 and SOC 2 standards. Vendor access to our networks is restricted to the applications necessary for their services. We proactively assess vendor risk using third-party rating tools, quantifying vulnerabilities and engaging vendors in remediation efforts to mitigate potential security threats. To further enhance our risk mitigation strategy, we maintain annual cybersecurity insurance policies designed to offset costs associated with covered cybersecurity incidents. Governance Our board of directors provides comprehensive oversight of enterprise risk management, including information security, technology and cybersecurity threats. The audit committee of our board of directors is responsible for evaluating the adequacy and effectiveness of internal controls, particularly those designed to assess, identify and manage material cybersecurity risks. The audit committee receives quarterly cybersecurity reports from the Chief Information Officer (“CIO”) and cybersecurity team, detailing material risks, threats and mitigation efforts. In the event of a cybersecurity incident, the Global Director of Cybersecurity or senior IT leadership will escalate the issue to the Disclosure Committee, following the Incident Response Plan’s predefined escalation criteria. Security incidents are classified based on severity (Critical, High, Medium), impact, and nature, ensuring efficient risk prioritization, resource allocation and incident response management. Our Disclosure Committee includes key executives and senior leadership, including the Executive Vice President, Chief Growth and Operations Officer, Chief Financial Officer, CIO , Senior Vice President of Finance, Senior Vice President of Investor Relations and Treasurer, Senior Vice President of Legal Counsel and Vice President of Legal Counsel . Additionally, it comprises senior representatives from financial reporting, internal audit, financial planning and analysis, and tax functions, ensuring a comprehensive approach to risk oversight and compliance. Our CIO has over 28 years of experience leading our technology operations and more than 40 years of expertise in information technology, spanning the banking and fashion apparel industries. Our Global Director of Cybersecurity has over 20 years of experience in information technology, with a specialized focus of more than seven years in cybersecurity, risk management, and compliance. He holds Certified Information Systems Security Professional (“CISSP”) and Certified Ethical Hacker (“CEH”) credentials. Additionally, he serves as a governing body member for the New York Evanta CISO community. For further discussion of the risks associated with cybersecurity incidents, see our “Risks Related to Cybersecurity, Data Privacy and Information Technology” under “Risk Factors.”

Company Information