lululemon athletica inc. 10-K Cybersecurity GRC - 2025-03-27

Page last updated on March 27, 2025

lululemon athletica inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-27 16:12:41 EDT.

Filings

10-K filed on 2025-03-27

lululemon athletica inc. filed a 10-K at 2025-03-27 16:12:41 EDT
Accession Number: 0001397187-25-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Our business operations and relationships with customers and suppliers are heavily reliant on technology. We operate a cybersecurity program designed to assess our security risks and threats, to manage those risks and protect our technology systems and data, and to detect and respond to cybersecurity incidents. We manage strategic risks, including cybersecurity risk, through our Enterprise Risk Management program which has direct involvement from the board of directors, the audit committee, and senior management. Through this process, we have identified cybersecurity as a risk management priority. Governance Our board of directors is responsible for the oversight of cybersecurity risks and has delegated primary responsibility to the audit committee, which is responsible for overseeing our enterprise risk assessments and management policies, procedures, and practices (including regarding those risks related to information security, cybersecurity, and data protection). The audit committee maintains a cybersecurity sub-committee that is comprised of our EVP, Chief Information Officer (“CIO”), our SVP, Chief Information Security Officer (“CISO”), and representatives from the audit committee and board of directors that have knowledge and experience in cybersecurity matters. The cybersecurity sub-committee reviews our cybersecurity risk assessments and the steps being taken to monitor, control, and report on those risks as well as discusses regulatory and market developments. They also review our process for identifying and responding to cybersecurity incidents in a timely manner, and details of cybersecurity attacks or incidents which have occurred. Management generally meets with, and provides reports to, the cybersecurity sub-committee on a quarterly basis. Our CIO and CISO also meet with and provide reports to the audit committee at least quarterly. The board of directors receives periodic reports regarding the activities of the cybersecurity sub-committee. These reports and meetings are designed to inform the board of directors and committees about the current state of our information security program including cybersecurity risks, the nature, timing, and extent of cybersecurity incidents, if any, and the resolution of such matters. Cybersecurity Program and Incident Response Our CISO is responsible for our cybersecurity program, including risk assessments, information security activities, and controls. The CISO is responsible for establishing and maintaining corporate information security policies and overseeing our risk management activities, which prioritize vulnerability management, risk reduction, and prevention. Our CISO also leads our Cyber Defense and Incident Response (“CDIR”) team which identifies, assesses, escalates, and remediates cybersecurity incidents. Our CISO has over 30 years of experience in the field of cybersecurity, bringing an extensive understanding of cybersecurity threats, regulatory compliance, and industry best practices. The CDIR team monitors and manages key cybersecurity risks, including threats related to third parties, cloud security, malicious code, e-commerce systems, and store technology. It also conducts security reviews, assesses vulnerabilities, and analyzes threat intelligence to strengthen our cyber defenses and incident response efforts. As part of our cybersecurity program, we conduct cybersecurity awareness training including phishing simulations and supplemental campaigns as well as mandatory e-learning for all our employees. Our employees have multiple mechanisms for reporting cybersecurity and data privacy concerns. We work with third-party cybersecurity advisors to undertake assessments of our critical systems and to remediate any high-risk vulnerabilities identified. We also engage third parties to perform penetration testing on our key systems to identify potential weaknesses. As part of our cyber incident response plan, we utilize an established framework to assess the severity of cybersecurity incidents. Under the plan, incidents are escalated to relevant senior management, and the board of directors, as appropriate, based on their severity. Our disclosure committee assesses the materiality of severe incidents including both quantitative and qualitative factors. Third Parties We utilize third-party service providers as a normal part of our business operations. To address cybersecurity risks arising from our relationships with third-party service providers, we employ a vendor risk program . We monitor risks relating to potential compromises of sensitive information at our third-party service providers and re-evaluate the risks associated with our partners periodically. Prior to exchanging our data with third-party service providers, they are required to go through a vendor risk assessment. We also conduct third-party security reviews and evaluate their network, processes, and systems. In addition, we obtain annual attestation reports related to data security and privacy from certain third-party service providers to further support compliance with industry-standard cybersecurity protocols. Impact of Cybersecurity Risks on Strategy and Results As of the date of this annual report, we are not aware of any cybersecurity incidents that have had a material impact on our business. However, like many companies, we continue to face ongoing cyber threats, including phishing and other unauthorized access attempts, which if successful could have a material impact in the future. For more information, see “Risks related to information security and technology” included in Item 1A. Risk Factors of this annual report.

Company Information