CALERES INC 10-K Cybersecurity GRC - 2025-04-01

Page last updated on April 1, 2025

CALERES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-04-01 16:18:52 EDT.

Filings

10-K filed on 2025-04-01

CALERES INC filed a 10-K at 2025-04-01 16:18:52 EDT
Accession Number: 0000014707-25-000017

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C CYBERSECURITY Risk Management and Strategy We are committed to protecting our customer and employee data. We employ a defense-in-depth cybersecurity strategy leveraging industry frameworks that feature a prioritized set of robust controls that encompass people, processes and technologies. Our Chief Information Officer (“CIO”) is responsible for the execution of our cybersecurity strategy . Our CIO has over 25 years of retail industry experience developing and implementing information technology strategies and leading cybersecurity programs. The CIO is supported by a team of highly qualified professionals, many of which hold cybersecurity certifications. The Company’s cybersecurity policies, standards and processes are integrated into the Company’s overall risk management program , and cybersecurity risks are regularly evaluated in the context of material risks to the Company. We regularly engage with outside experts to assess the maturity of our organizational security program and to inform our short- and long-term cybersecurity strategy. We maintain a comprehensive cybersecurity program designed to protect the confidentiality, integrity, and availability of our data, systems, and networks. Our security framework is based on a defense-in-depth strategy, employing multiple layers of security controls to mitigate risks associated with cyber threats. Key components of the Information Security Program include: ● Network and Endpoint Security: Firewalls, intrusion prevention systems, endpoint detection and response solutions, and monitoring and alerting. ● Access Controls and Authentication: Multi-factor authentication, least-privilege access principles, role-based access controls and privileged identity management . ● Data Protection: Encryption of sensitive data in transit and at rest, data loss prevention tools, data classification and labeling, and secure backup solutions. ● Incident Response: An incident response plan aligned with industry-best practices and a framework for evaluating the materiality of the incident for disclosure and reporting purposes. ● Compliance and Governance: Adherence to regulatory requirements, third-party risk management and routine security audits. ● Security Awareness and Training: Regular employee training, phishing simulations and a Cybersecurity Ambassador program. We leverage our information sharing relationship with the Federal Bureau of Investigation, Cybersecurity and Infrastructure Agency and local law enforcement, as well as additional threat intelligence information, to continuously assess and enhance our cybersecurity posture to address emerging threats and minimize potential impacts on our operations, customers and stakeholders. Governance The Audit Committee of our Board of Directors is responsible for oversight of our cybersecurity program. In addition, the Technology and Digital Commerce Committee, which was established in 2022, assists the Board of Directors with its oversight responsibilities regarding the role of technology, data, digital commerce and the Company’s ability to understand and connect with its consumers in executing the Company’s strategies, business plans and operational requirements. On a quarterly basis, our CIO updates the Audit Committee on the Company’s cybersecurity program, including, among other items, actual events or incidents, results of vulnerability assessments and penetration testing. We continue to invest in cybersecurity and adapt our internal controls and processes to respond to cybersecurity risks. Cybersecurity threats, including those as a result of any previous cybersecurity incidents, have not materially affected our business strategy , results of operations or financial condition. For a discussion of how cybersecurity risks have affected or are reasonably likely to materially affect the Company, refer to Item 1A, Risk Factors .

Company Information