ABERCROMBIE & FITCH CO /DE/ 10-K Cybersecurity GRC - 2025-03-31

Page last updated on March 31, 2025

ABERCROMBIE & FITCH CO /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-31 17:03:55 EDT.

Filings

10-K filed on 2025-03-31

ABERCROMBIE & FITCH CO /DE/ filed a 10-K at 2025-03-31 17:03:55 EDT
Accession Number: 0001018840-25-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company has established an information security program and related processes for assessing, identifying, and managing material risks from cybersecurity threats to the Company, including governance at the executive and Board level of the Company’s cyber risk management strategy and the controls designed to protect its operations. The Company’s information security program is managed at the executive level, with regular reporting to, and oversight by, the Board as described below. The Company’s program includes multi-layered governance by management, the Audit and Finance Committee of the Board and the Board, as described in greater detail below. The Company’s policies and procedures identify how cybersecurity measures and controls are developed, implemented, and regularly reviewed and updated. The Company implements and maintains a set of controls to manage information risk, establishes guidelines for the use of information technology, and defines standards for identifying and mitigating information risks. The controls are developed based on risk assessments and a review of controls from multiple security frameworks, such as the Center for Internet Security’s Critical Security Control and the Payment Card Industry Data Security Standard. The Company, internally and through third parties, conducts multiple information risk assessments each year. Risks identified in such assessments are considered and evaluated for inclusion in the Company’s information risk portfolio and are then prioritized and addressed where appropriate to update the Company’s information security programs. Assessments, along with risk-based analysis and judgment, are used by the Company to determine how it should manage these risks. In addition, the Company’s Incident Response Plan (“IRP”) provides an outline for the Company on how to identify and address a significant cybersecurity incident. The IRP includes certain steps to be taken by the Information Security team to, among other things, assess the severity of an incident, determine the appropriate escalation, and mitigate or remediate the incident. The IRP is intended to serve as a framework to aid the Information Security team and other corporate functions in coordinating the Company’s response to an incident in order to minimize the impact on the Company’s business and operations, as well as the affected parties. The Company also conducts cybersecurity exercises and training. For example, certain corporate associates and management-level associates in our stores and distribution centers must complete cybersecurity training on an at least annual basis, which educates the associates on the Company’s policies and procedures for the handling of customer and employee personal data, incident reporting, and avoiding common cybersecurity threats such as phishing attacks. In addition, targeted training for corporate associates occurs throughout the year, and regular audiences include associates on the Company’s marketing, data analytics, and user experience teams. The Company’s management holds annual executive data incident tabletop exercises and the information security team holds more frequent technical tabletop exercises. The Company leverages third-party security firms in different capacities to implement or operate various aspects of the Company’s information assets and information security program, including to conduct risk assessments and penetration testing. The Company uses a variety of processes to address cybersecurity threats associated with third parties, including our use of third-party technology and services, such as conducting risk assessments and reviewing contractual requirements where the Company has determined it to be appropriate. The Company (or the third parties on which it relies) may not be able to fully, continuously, and effectively implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine the security controls to implement and it is possible we may not implement sufficient controls if we do not recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only partially mitigate and not fully eliminate risks. Events, when detected by security tools or third parties, may not always be immediately understood or acted upon. Board Governance and Management Cybersecurity risk is managed as an enterprise risk in the Company’s enterprise risk management process. Responsibility for risk oversight and management generally lies with the Company’s Board. To manage oversight of our cybersecurity risk management practices, since 2019 the Board has delegated such responsibility to the Company’s Audit and Finance Committee. The Company’s Chief Information Security Officer (“CISO”) and the Information Security team provide reports to either the Audit and Finance Committee or the Board on a quarterly basis on various matters, such as current and emerging cybersecurity risks to the Company, risks and incidents that were escalated to management during the prior quarter (including those that did not require immediate escalation to the Audit and Finance Committee and/or full Board), internal and external assessments of the Company’s information security program, and a roadmap of projects and major initiatives to manage its information security posture. Abercrombie & Fitch Co. 25 2024 Form 10-K Table of Contents At the executive and management level, the CISO has primary responsibility for the architecture, implementation, and management of the Company’s information security program . The CISO has approximately two decades of experience in technology risk management, including over a decade with the Company, and has passed examinations and received certifications as a SANS Global Information Security Leader and a Certified Information Systems Auditor. The CISO reports directly to the Company’s Chief Digital and Technology Officer. The Company’s Information Security team, under the direction of the CISO, implements and provides governance and functional oversight for cybersecurity controls and services. Information Security processes include escalation of certain risks and incidents, including those that originate or occur at third parties, to the CISO and the executive team as appropriate based on the severity or potential severity. In addition, regular updates from the Information Security team, in conjunction with real-time escalation on an as-needed basis, are also used to assess the risk landscape and adjust the Company’s strategy and roadmap to address such risk. Although the risks from cybersecurity threats have not materially affected our business strategy, results of operations, or financial condition to date, they may in the future and we continue to closely monitor cyber risk. See " ITEM 1A. RISK FACTORS " for additional information regarding the Company’s cybersecurity risks and which should be read in conjunction with this Item 1C.
Item 1C.

Company Information