|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Feb. 01, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cybersecurity
The Company depends on the confidentiality, integrity and availability of information systems and data. We have systems and processes in place to assess, identify and manage cybersecurity incidents and those systems and processes are integrated into our overall risk management system.
Internal and third-party risks are reviewed, monitored and managed by the Company's IT ISC2, SANS, CompTIA certified security partners and external expert consultants. The Company annually engages third-party experts to assess the effectiveness of system and network security. Periodically, an external independent consultancy team conducts a comprehensive review of the Company's cybersecurity program using the National Institute of Standards and Technology Cybersecurity Framework. Additionally, the Company is assessed annually by an independent third party for compliance with the PCI-DSS standard, for which the Company receives an attestation of compliance.
The Company’s security awareness program seeks to create a culture of shared responsibility for the security of sensitive data and systems. There is required annual security training and quarterly phishing campaigns for team members with access to Company email. Annually, members of the IT department are required to take IT specific training, and store employees take operations and security training. A third-party led social engineering campaign that targets Kirkland’s employees is carried out on an annual basis. Key performance indicators and periodic testing of training materials ensure the program’s effectiveness.
The Company’s process for identifying and managing first and third-party risks from cybersecurity threats includes proactive threat hunting, continuous monitoring of the Company’s systems and network for cybersecurity events, and regular testing of the Company’s Security Incident Response Plan, Business Continuity Plan and Disaster Recovery Plan. An external managed security services provider and an industry-leading security tool continuously monitors, detects, and responds to the Company’s systems and network for cybersecurity threats. The Company’s IT security partners evaluate the escalated threats, and if necessary, take steps to contain and recover from pervasive threats in accordance with the Company’s Security Incident Response Plan. A third-party with extensive experience in incident response and forensics is on retainer to assist with incidents. The Incident Response Plan includes reporting and escalation procedures to inform the Company’s executives, the Audit Committee, and full Board of Directors, as appropriate, to enable them to carry out their oversight responsibilities, and to ensure timely compliance with applicable reporting rules. The Company’s Incident Response Plan and Disaster Recovery Plan include procedures for business recovery and are tested at least annually. The Company also maintains a cyber insurance policy that provides coverage for material IT security incidents.
No risks from cybersecurity threats have materially affected, nor has the Company identified any specific risks from known cybersecurity threats that are reasonably likely to materially affect, the Company, including our business
strategy, results of operations or financial condition. Please see “Item 1A. Risk Factors — Risks Related to Technology and Data Security” for additional discussion of cybersecurity risks applicable to the Company.
Management Responsibilities
Our cybersecurity program is managed by our Senior Director of Information Technology (“Technology Senior Director”). Our Technology Senior Director has 21 years of experience in information technology and cybersecurity, having been at the Company since 2003. The Technology Senior Director, along with the Company’s IT security partners, is responsible for reducing cybersecurity risk by maintaining a proactive security posture aligned with current threats, detecting cybersecurity events, responding quickly and building procedures to rapidly recover, if needed.
Board Responsibilities
On behalf of the Board of Directors, the Audit Committee provides oversight of the Company’s management of cybersecurity risk. The Audit Committee quarterly reviews the Company’s cybersecurity risks, incidents, audits, assessments, crisis readiness, awareness activities and compliance with cybersecurity and privacy laws and regulations. The Company’s Technology Senior Director briefs the Audit Committee quarterly on active and emerging cybersecurity threats and efforts to strengthen the Company’s defenses against these threats.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The Company depends on the confidentiality, integrity and availability of information systems and data. We have systems and processes in place to assess, identify and manage cybersecurity incidents and those systems and processes are integrated into our overall risk management system.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our cybersecurity program is managed by our Senior Director of Information Technology (“Technology Senior Director”). Our Technology Senior Director has 21 years of experience in information technology and cybersecurity, having been at the Company since 2003. The Technology Senior Director, along with the Company’s IT security partners, is responsible for reducing cybersecurity risk by maintaining a proactive security posture aligned with current threats, detecting cybersecurity events, responding quickly and building procedures to rapidly recover, if needed.
Board Responsibilities
On behalf of the Board of Directors, the Audit Committee provides oversight of the Company’s management of cybersecurity risk. The Audit Committee quarterly reviews the Company’s cybersecurity risks, incidents, audits, assessments, crisis readiness, awareness activities and compliance with cybersecurity and privacy laws and regulations. The Company’s Technology Senior Director briefs the Audit Committee quarterly on active and emerging cybersecurity threats and efforts to strengthen the Company’s defenses against these threats.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company’s Technology Senior Director briefs the Audit Committee quarterly on active and emerging cybersecurity threats and efforts to strengthen the Company’s defenses against these threats.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
On behalf of the Board of Directors, the Audit Committee provides oversight of the Company’s management of cybersecurity risk. The Audit Committee quarterly reviews the Company’s cybersecurity risks, incidents, audits, assessments, crisis readiness, awareness activities and compliance with cybersecurity and privacy laws and regulations. The Company’s Technology Senior Director briefs the Audit Committee quarterly on active and emerging cybersecurity threats and efforts to strengthen the Company’s defenses against these threats.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our Technology Senior Director has 21 years of experience in information technology and cybersecurity, having been at the Company since 2003. The Technology Senior Director, along with the Company’s IT security partners, is responsible for reducing cybersecurity risk by maintaining a proactive security posture aligned with current threats, detecting cybersecurity events, responding quickly and building procedures to rapidly recover, if needed.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef