|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Sep. 30, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 16K. CYBERSECURITY
Cybersecurity risk management is an important part of our overall risk management efforts. We maintain certain cybersecurity processes, technologies and controls to aid in our efforts to assess, identify and manage material risks and seek to continuously develop such processes, technologies and controls further. We assess cybersecurity risk at both the management and board levels.
Management’s Role and the Process of Managing Risk
Our Chief Information Officer (“CIO”) has primary responsibility for implementing and overseeing our enterprise-wide cybersecurity strategy, policy, architecture and processes. Our CIO reports to our Chief Executive Officer and our CIO has significant experience leading technology teams at large companies, including in the footwear industry, and managing and transforming complex business and IT organizations into unified transparent operations.
At the management level, the primary responsibility for assessing and managing material risks from cybersecurity threats rests with our Director IT Security & Compliance (“DISC”), who has more than a decade of experience in information technology and cybersecurity. He has a longstanding background within network and cloud security, application security and security operations. In addition, he holds globally recognized certifications within cybersecurity, including CISSP (Certified Information Systems Security Professional) and CCSP (Certified Cloud Security Professional) under ISO/IEC17024. The DISC leads our cybersecurity team and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents, and reports to our CIO.
We use various tools and methodologies to identify and manage cybersecurity risk, including risk assessments and a vulnerability management program that includes periodic penetration testing. We have a third-party cyber risk management program that conducts assessments on third parties who integrate with our data, network, systems and applications. These tools and methodologies inform our remediation activities, which are tracked and reported to senior management. In addition, we engage third parties to assess our cybersecurity program maturity and to perform audits of portions of our cybersecurity control environment based on risk or where necessary to ensure regulatory compliance. We use security tools for prevention, detection and response and engage third parties to assess and consult on our approaches and to stay in line with our IT policies. External suppliers and service providers are assessed on cybersecurity during the procurement process and protocols are established regarding incident reporting and communication of other relevant matters between such third parties and the Company.
Our management team works closely with the CIO, ensuring that our cybersecurity efforts align with our business objectives and operational needs. Key components of our cybersecurity approach include, among other things:
Measures implemented
•
established a dedicated action team, led by our CIO and DISC, to oversee and manage cybersecurity risks;
•
industry-standard technologies, processes and external Security Operations center (SOC) services to protect our systems and data and to help detect and mitigate potential suspicious activity. The SOC services have been implemented for the Microsoft environment with Ontinue and are being further expanded across the broader infrastructure;
•
access controls to safeguard data and systems;
•
periodic review and update of our relevant policies/procedures;
•
implemented a process to conduct penetration tests and assessments throughout the year. Ionix has been implemented successfully; and
•
implemented an awareness- and training platform for end users in the US, including periodic phishing simulations for our employees. KnowB4 has been implemented where we conducted phishing simulations and the first batch of training modules have been provided to our employees.
Measures planned to be implemented
•
implement an awareness- and training platform for all end users in Europe and APAC including phishing simulations for employees with a go-live date of October 1, 2025;
•
commence the certification process for ISO27001 with target date for the certification being Q3 2026;
•
implement a risk management platform for cybersecurity and other IT general risks named Drata. This is an information security management software specialized in maintaining the Company's risks, ISO certifications and SOX relevant protocols, which started in November 2024 with a full Go-Live scheduled for January 2026; and
•
continue the gradual implementation of artificial intelligence ("AI") technology during 2026 tailored to achieve measurable results, including the adoption of an AI policy as a governance foundation; any generic AI driven technology directly using internal data or other confidential information is blocked and can only be granted access following a comprehensive legal, IT and business review and approval process.
The DISC manages a cybersecurity team that meets regularly to monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents. In the event of a cybersecurity incident, we have an incident response plan and a crisis escalation process that govern our immediate response including detection, escalation, assessment, management and remediation. As part of incident response, the cybersecurity team may also engage with external advisers and other key stakeholders as needed. Based on the materiality assessment the Board of Directors and the Audit Committee are informed and, if material, escalation and communication protocols are taken. Such protocols are established as part of the Company’s information security policy.
Board Oversight
As part of its risk management oversight responsibilities, our board of directors has ultimate oversight over the key risk decisions taken by management, including with respect to cybersecurity risk priorities, resource allocation and oversight structures. The board of directors receives an update on our cybersecurity program as determined to be necessary or advisable. The board of directors has delegated parts of its risk management oversight responsibility for information security and data protection to our audit committee, which regularly reviews our cybersecurity program and related matters with management, including the steps management has taken to monitor and control such risk exposures, and reports to the board of directors. Our escalation process is designed to ensure that potentially material cybersecurity incidents are appropriately assessed and reported, if determined to be material.
Risks from Cybersecurity Threats
Even though, to date, cybersecurity risks have not materially affected our business strategy, results of operations or financial condition, we face numerous and evolving cybersecurity threats. There can be no assurance that we, or the third parties with which we interact, will not face a cybersecurity incident in the future that will materially affect us. For more information about the cybersecurity risks we face, see "Item 3.
Key Information—D. Risk Factors—Our operations, products, systems and services rely on complex IT systems and networks that are subject to the risk of disruption and security breaches.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We have a third-party cyber risk management program that conducts assessments on third parties who integrate with our data, network, systems and applications.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board Oversight
As part of its risk management oversight responsibilities, our board of directors has ultimate oversight over the key risk decisions taken by management, including with respect to cybersecurity risk priorities, resource allocation and oversight structures. The board of directors receives an update on our cybersecurity program as determined to be necessary or advisable. The board of directors has delegated parts of its risk management oversight responsibility for information security and data protection to our audit committee, which regularly reviews our cybersecurity program and related matters with management, including the steps management has taken to monitor and control such risk exposures, and reports to the board of directors. Our escalation process is designed to ensure that potentially material cybersecurity incidents are appropriately assessed and reported, if determined to be material.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|As part of its risk management oversight responsibilities, our board of directors has ultimate oversight over the key risk decisions taken by management, including with respect to cybersecurity risk priorities, resource allocation and oversight structures. The board of directors receives an update on our cybersecurity program as determined to be necessary or advisable.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The board of directors has delegated parts of its risk management oversight responsibility for information security and data protection to our audit committee, which regularly reviews our cybersecurity program and related matters with management, including the steps management has taken to monitor and control such risk exposures, and reports to the board of directors. Our escalation process is designed to ensure that potentially material cybersecurity incidents are appropriately assessed and reported, if determined to be material.
|Cybersecurity Risk Role of Management [Text Block]
|
Management’s Role and the Process of Managing Risk
Our Chief Information Officer (“CIO”) has primary responsibility for implementing and overseeing our enterprise-wide cybersecurity strategy, policy, architecture and processes. Our CIO reports to our Chief Executive Officer and our CIO has significant experience leading technology teams at large companies, including in the footwear industry, and managing and transforming complex business and IT organizations into unified transparent operations.
At the management level, the primary responsibility for assessing and managing material risks from cybersecurity threats rests with our Director IT Security & Compliance (“DISC”), who has more than a decade of experience in information technology and cybersecurity. He has a longstanding background within network and cloud security, application security and security operations. In addition, he holds globally recognized certifications within cybersecurity, including CISSP (Certified Information Systems Security Professional) and CCSP (Certified Cloud Security Professional) under ISO/IEC17024. The DISC leads our cybersecurity team and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents, and reports to our CIO.
We use various tools and methodologies to identify and manage cybersecurity risk, including risk assessments and a vulnerability management program that includes periodic penetration testing. We have a third-party cyber risk management program that conducts assessments on third parties who integrate with our data, network, systems and applications. These tools and methodologies inform our remediation activities, which are tracked and reported to senior management. In addition, we engage third parties to assess our cybersecurity program maturity and to perform audits of portions of our cybersecurity control environment based on risk or where necessary to ensure regulatory compliance. We use security tools for prevention, detection and response and engage third parties to assess and consult on our approaches and to stay in line with our IT policies. External suppliers and service providers are assessed on cybersecurity during the procurement process and protocols are established regarding incident reporting and communication of other relevant matters between such third parties and the Company.
Our management team works closely with the CIO, ensuring that our cybersecurity efforts align with our business objectives and operational needs. Key components of our cybersecurity approach include, among other things:
Measures implemented
•
established a dedicated action team, led by our CIO and DISC, to oversee and manage cybersecurity risks;
•
industry-standard technologies, processes and external Security Operations center (SOC) services to protect our systems and data and to help detect and mitigate potential suspicious activity. The SOC services have been implemented for the Microsoft environment with Ontinue and are being further expanded across the broader infrastructure;
•
access controls to safeguard data and systems;
•
periodic review and update of our relevant policies/procedures;
•
implemented a process to conduct penetration tests and assessments throughout the year. Ionix has been implemented successfully; and
•
implemented an awareness- and training platform for end users in the US, including periodic phishing simulations for our employees. KnowB4 has been implemented where we conducted phishing simulations and the first batch of training modules have been provided to our employees.
Measures planned to be implemented
•
implement an awareness- and training platform for all end users in Europe and APAC including phishing simulations for employees with a go-live date of October 1, 2025;
•
commence the certification process for ISO27001 with target date for the certification being Q3 2026;
•
implement a risk management platform for cybersecurity and other IT general risks named Drata. This is an information security management software specialized in maintaining the Company's risks, ISO certifications and SOX relevant protocols, which started in November 2024 with a full Go-Live scheduled for January 2026; and
•
continue the gradual implementation of artificial intelligence ("AI") technology during 2026 tailored to achieve measurable results, including the adoption of an AI policy as a governance foundation; any generic AI driven technology directly using internal data or other confidential information is blocked and can only be granted access following a comprehensive legal, IT and business review and approval process.
The DISC manages a cybersecurity team that meets regularly to monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents. In the event of a cybersecurity incident, we have an incident response plan and a crisis escalation process that govern our immediate response including detection, escalation, assessment, management and remediation. As part of incident response, the cybersecurity team may also engage with external advisers and other key stakeholders as needed. Based on the materiality assessment the Board of Directors and the Audit Committee are informed and, if material, escalation and communication protocols are taken. Such protocols are established as part of the Company’s information security policy.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Our Chief Information Officer (“CIO”) has primary responsibility for implementing and overseeing our enterprise-wide cybersecurity strategy, policy, architecture and processes. Our CIO reports to our Chief Executive Officer and our CIO has significant experience leading technology teams at large companies, including in the footwear industry, and managing and transforming complex business and IT organizations into unified transparent operations.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|At the management level, the primary responsibility for assessing and managing material risks from cybersecurity threats rests with our Director IT Security & Compliance (“DISC”), who has more than a decade of experience in information technology and cybersecurity. He has a longstanding background within network and cloud security, application security and security operations. In addition, he holds globally recognized certifications within cybersecurity, including CISSP (Certified Information Systems Security Professional) and CCSP (Certified Cloud Security Professional) under ISO/IEC17024.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The DISC leads our cybersecurity team and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents, and reports to our CIO.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef