GUESS INC 10-K Cybersecurity GRC - 2025-04-11

Page last updated on April 14, 2025

GUESS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-04-11 16:46:24 EDT.

Filings

10-K filed on 2025-04-11

GUESS INC filed a 10-K at 2025-04-11 16:46:24 EDT
Accession Number: 0000912463-25-000028

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity. Risk Management and Strategy We have developed and integrated into our overall risk management program an information security program that is designed to address material risks from cybersecurity threats. Our program includes policies and procedures that identify how security measures and controls are developed, implemented and maintained. A cybersecurity risk assessment, based on an internationally recognized methodology, is conducted annually. The cybersecurity risk assessment process includes three parts: (1) identification of assets such as information, services, software and their dependencies, (2) an assessment of the criticality of the assets based on factors of confidentiality, integrity and availability, and (3) an assessment of other criteria to determine the impact a threat can have on each asset and the likelihood that such a threat occurs. Based on the risk assessment process, risk-based analysis, and using an internationally recognized information security framework as a reference, security controls are chosen. Specific controls that are used to some extent as part of the information security program include endpoint threat detection and response, privileged access management, logging and monitoring involving the use of security information and event management with monitoring by a security operations center, multi-factor authentication, firewalls and intrusion detection and prevention, vulnerability and patch management, and security awareness training for employees and long-term consultants. Third-party security firms are used in different capacities to provide or operate some of these controls and technology systems, including cloud-based platforms and services. For example, we have used third parties to conduct independent assessments, such as vulnerability scans and penetration testing. We use a variety of processes to address cybersecurity threats related to the use of third-party technology and services , including pre-acquisition diligence, imposition of contractual obligations, and performance monitoring. We have a written incident response plan that uses a severity classification process to identify incidents to escalate to executive management and determine whether the impact of the incident is material. We also conduct periodic trainings and tabletop exercises to enhance incident response preparedness. We are a member of an industry cybersecurity intelligence and risk sharing organization. Employees undergo initial cyber security awareness training when hired and maintenance cybersecurity awareness training annually. To date, we do not believe that known risks from cybersecurity threats, including as a result of any previous cybersecurity incidents that we are aware of, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, we can give no assurance that we have detected or protected against all cybersecurity incidents or cybersecurity threats. Please refer to “-Risks Related to Data Privacy and Cybersecurity” in “Item 1A. Risk Factors” of this Annual Report for additional information about the risks we face associated with cybersecurity threats. Governance The Chief Information Security Officer (“CISO”) is the management position with primary responsibility for the development, operation, and maintenance of our information security program, which includes cybersecurity. Our CISO has cybersecurity experience that includes being a lead auditor for ISO/IEC 27001 and ISO 22301 with knowledge of both operations and governance. He previously served as Chief Technology Officer for an international managed security service provider, during which time he served as Virtual CISO, Incident manager and security auditor for several multinational companies. We have established a Cybersecurity Steering Committee to provide a management-level oversight of cybersecurity. The Cybersecurity Steering Committee reviews the annual risk assessment and provides comments on the overall information security program. Oversight of the information security program at the Board level sits with the Audit Committee . The Audit Committee is informed of cybersecurity-related risks through the CISO providing quarterly updates on the information security program and more frequently as circumstances require.

Company Information