Savers Value Village, Inc. has recently released its 10-K report, providing a comprehensive look into its operations. The company, founded in 1954 and based in Bellevue, Washington, operates retail stores under various brands, including Savers, Value Village, and Unique, selling second-hand merchandise in the United States, Canada, and Australia. The report highlights the company's commitment to maintaining a cybersecurity risk management strategy, encompassing assessments, monitoring, and proactive measures to safeguard its assets and operations.
In the 10-K report, under Item 1C, Savers Value Village outlines its cybersecurity risk management strategy, which involves a combination of internal and external risk assessments, monitoring, vulnerability scanning, and remediation, aligned with industry-standard methodologies and frameworks. The company conducts annual internal and external risk assessments to identify, evaluate, and prioritize potential risks to its business operations, data, and information systems. It also emphasizes continuous monitoring, employing appropriate technologies and tools to detect and respond to anomalies, potential threats, and emerging vulnerabilities.
Furthermore, Savers Value Village engages in annual external penetration testing conducted by reputable third-party security firms to evaluate the effectiveness of its defenses and identify areas for improvement. The company has also deployed a Disaster Recovery as a Service solution to enhance its ability to recover and restore data in the event of a cybersecurity incident or other events.
The report also acknowledges a ransomware incident in 2020, associated with a well-known threat actor, which resulted in the encryption of personnel time and attendance data. However, no evidence of unauthorized access to personal or business-related information was found, and the company's IT Security team immediately blocked the point of entry. Post-incident, Savers undertook a comprehensive review, identifying areas of vulnerability and implementing controls, including appropriate backup approaches, proactive security monitoring tools and processes, and the expansion of its cybersecurity team and activities.
The company's governance structure includes oversight of operational risk management by the Board, particularly the Audit Committee, which reviews and discusses major financial risk exposures, risk assessment, and risk management policies. The Audit Committee also has specific oversight of risks related to data privacy and information security, including compliance with applicable laws and management's response to material cybersecurity and privacy incidents or breaches. Additionally, the company maintains a Crisis Response Plan, including specific procedures and considerations for cybersecurity and ransomware incidents, involving the executive team and outside advisors, and required reporting to the Audit Committee and Board.
Savers Value Village's Chief Information Officer (CIO) is responsible for assessing and managing cybersecurity risks, reporting directly to the CEO and being a member of the Enterprise Risk Committee. The Chief Compliance Officer (CCO), who is also the General Counsel, oversees the Crisis Response Plan, reporting directly to the CEO, being a member of the Enterprise Risk Committee, and leading the company's response to the 2020 ransomware attack.
Following these announcements, the company's shares moved -7.5%, and are now trading at a price of $19.43. If you want to know more, read the company's complete 10-K report here.
