FOOT LOCKER, INC. 10-K Cybersecurity GRC - 2025-03-27

Page last updated on March 27, 2025

FOOT LOCKER, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-27 16:19:13 EDT.

Filings

10-K filed on 2025-03-27

FOOT LOCKER, INC. filed a 10-K at 2025-03-27 16:19:13 EDT
Accession Number: 0001437749-25-009620

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risk management, including our processes for assessing, identifying and managing material risks from cybersecurity threats, is an integral part of our overall enterprise risk management program. Cybersecurity risk management and strategy We use information technology and third -party service providers to support our global business processes and activities, which exposes us to cybersecurity risks. Key Program Components To help manage cybersecurity risk, the Company uses cybersecurity frameworks and standards as a guide, such as the National Institute of Standards and Technology’s Cybersecurity Framework, International Organization of Standardization ISO/IEC 27002, and Payment Card Industry (PCI) Security Standards. We use, and continue to improve, our cyber defense-in-depth strategy, which uses multiple layers of security for holistic protection. Our cybersecurity risk management program includes: ● the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls, including third -party network security reviews, scans, and audits, on at least an annual basis; ● data protection and cybersecurity training for employees with access to information systems, certain individuals with privileged access, such as system administrators and developers, are subject to additional controls and monitoring activities; ● periodic phishing campaigns to train our employees to better identify, report, and avoid malicious content; ● a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; ● a disaster recovery plan and controls designed to protect against business interruption, including by backing up our critical systems; ● a third -party risk management process for service providers, suppliers, and vendors who have access to our information systems. Cybersecurity Governance The Board of Directors has risk oversight responsibility regarding risks that could affect the Company. Oversight for certain risks is administered through committees of the Board. The Audit Committee of the Board is responsible for oversight over our enterprise risk management framework. Cybersecurity risk is included in our enterprise risk management program. The Technology and Digital Engagement Committee of the Board has primary responsibility for oversight of the Company’s cybersecurity risk. This Committee receives regular briefings from our Chief Operations Officer, Chief Technology Officer, Chief Information Security Officer, and outside experts on cybersecurity risks and cyber risk oversight. During these meetings, the Technology and Digital Engagement Committee and management discuss cybersecurity risks, risk management activities and efforts, best practices, the effectiveness of our security measures, and other related matters. The Technology and Digital Engagement Committee Chair reports on the committee’s meetings, considerations, and actions to the Board at the next Board meeting following each committee meeting. The Audit Committee also discusses and receives updates on cybersecurity matters in connection with its oversight of enterprise risk management. We maintain a security incident response plan that is utilized when cybersecurity incidents are detected. We conduct periodic tabletop exercises, in which different internal and external stakeholders, including from time to time our CEO, Non-Executive Chair, or Board of Directors, participate in a simulated cyber scenario. The purpose of these exercises is to test our security incident response plan, identify weaknesses or gaps, and ensure that all participants are aware of, and familiar with, their roles and responsibilities. 2024 Form 10 -K Page Our Chief Information Security Officer, with oversight from the Chief Technology Officer and Chief Operations Officer, is primarily responsible for assessing and managing cybersecurity risks. Our Chief Information Security Officer has extensive cybersecurity knowledge and skills gained from over 25 years’ experience in the field. He holds a Certified Information Systems Security Professional certification, issued by ISC, which is a globally recognized credential demonstrating expertise in information security and risk management. Our Chief Information Security Officer stays up to date on developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition also informs our program of prevention, detection, mitigation, and remediation of cybersecurity incidents. Several experienced information security professionals report to our Chief Information Security Officer and he is supported by a team of trained cybersecurity team members. In addition to our in-house cybersecurity capabilities, at times we also engage assessors, consultants, auditors, or other third parties to assist with assessing, identifying, and managing cybersecurity risks. The Company regularly updates and assesses its information security strategy and responses for new and emerging threats. To date, the Company is not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect, the Company’s business strategy, results of operations or financial position. Notwithstanding the breadth of the Company’s information security program, it may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse impact. Also see “Risks Related to Technology, Data Security, and Privacy” included as part of Item 1A. “Risk Factors,” which is incorporated by reference herein.

Company Information