XML 27 R9.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management & Strategy

 

Rocky Brands recognizes the critical importance of developing, implementing, and maintaining a robust information security program to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. We have established information security programs and policies, including processes for identifying, assessing, and managing risks arising from cybersecurity threats. These processes involve regular assessments of our information systems and infrastructure to identify vulnerabilities and threats. We focus on executing a centralized information technology and cybersecurity program. Our Company-wide approach is to be positioned as one security program, one posture and one roadmap for the enterprise. This platform is administered across our departments by our cybersecurity team led by our Vice President of Information Technology. Our information security programs and policies are aligned with those of the Center for Internet Security (CIS), Control Objectives for Information Technologies (COBIT), and National Institute of Standards Technology (NIST). 

 

We are integrating our information security programs and cybersecurity risk management processes into our overall enterprise risk management (“ERM”) strategy. We are developing an entity-wide information technology ERM framework and will take steps to monitor, report on and communicate to stakeholders consistent with our ERM strategy. Recognizing the cybersecurity risk landscape is complex and ever evolving, we engage with a broad group of external experts and consultants, and auditors in evaluating and testing our information security programs. We leverage this specialized expertise to manage threat detection and response management, conduct regular audits and consult on our overall information security programs.

 

We are acutely aware of risks associated with third-party service providers and we incorporate cybersecurity into our third-party vendor management policy. We conduct thorough security assessment to determine the category of risk third parties pose to Rocky Brands, with a priority focus on vendors with products or services that will have access to private and sensitive information. Vendor assessments incorporate inputs, including for example, BitSight and Service Organization Control Type 2 (“SOC2”) information available for our third-party vendors. Our assessments and monitoring are designed to mitigate risks related to data breaches or other security incidents originating from third parties. 

 

Although no cybersecurity incidents during the year ended December 31, 2024 which had a material impact on our business strategy, results of operations or financial condition, the scope and impact of any future incident cannot be predicted. See Item 1A. - Risk Factors for more information about our information security and cybersecurity risks.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] We are integrating our information security programs and cybersecurity risk management processes into our overall enterprise risk management (“ERM”) strategy. We are developing an entity-wide information technology ERM framework and will take steps to monitor, report on and communicate to stakeholders consistent with our ERM strategy. Recognizing the cybersecurity risk landscape is complex and ever evolving, we engage with a broad group of external experts and consultants, and auditors in evaluating and testing our information security programs. We leverage this specialized expertise to manage threat detection and response management, conduct regular audits and consult on our overall information security programs.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] Although no cybersecurity incidents during the year ended December 31, 2024 which had a material impact on our business strategy, results of operations or financial condition, the scope and impact of any future incident cannot be predicted. See Item 1A. - Risk Factors for more information about our information security and cybersecurity risks.
Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

 

Our Board of Directors has established governance protocol over risk management, including general oversight of information technology security and cybersecurity risk. The Audit Committee is central to the Board’s oversight of cybersecurity risks and is primarily responsible for this domain. The Audit Committee actively participates in discussions with management, external experts and amongst themselves regarding cybersecurity risks. The Audit Committee is comprised of Board members with broad expertise, including technology, risk management and finance, enabling them to effectively oversee and govern cybersecurity risks. One Audit Committee member is certified under the National Association of Corporate Directors Certificate in Cyber-Risk Oversight Program. 

 

We have developed a robust organizational structure to manage and oversee our information technology and cybersecurity programs, including full-time information security associates dedicated to cybersecurity. These individuals possess relevant experience and expertise in cybersecurity and risk management. Our Director, IT Infrastructure & Security leads our information security, data privacy and protection, and information technology compliance programs. The Director stays current with security related topics by either webinars, training classes or cybersecurity conferences. Guided by management, our information technology teams maintain a detailed Cyber Incident Response Plan ("CIRP") and hold frequent meetings to ensure the proper communication and execution of our security controls and procedures. The Cybersecurity team has various expertise ranging in Associate of ISC2-CISSP certification and extensive training on current security products. The Director, IT Infrastructure & Security regularly reports to the Vice President of Information Technology and maintains ongoing dialog with the reporting structure to our CEO, CFO and COO, and Board of Directors regarding our information security programs. This reporting includes updates on matters evaluated under our CIRP, the current threat landscape, cybersecurity initiatives, and the effectiveness of our cybersecurity programs.

 

Our Vice President of Information Technology has more than 35 years working as an IT professional, 13 years of which has been at the Company in various roles such as, Programming, Business Analysis, Systems Analysis, Operations, EDI Manager, and Applications Director. 
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Board of Directors has established governance protocol over risk management, including general oversight of information technology security and cybersecurity risk. The Audit Committee is central to the Board’s oversight of cybersecurity risks and is primarily responsible for this domain. The Audit Committee actively participates in discussions with management, external experts and amongst themselves regarding cybersecurity risks. The Audit Committee is comprised of Board members with broad expertise, including technology, risk management and finance, enabling them to effectively oversee and govern cybersecurity risks. One Audit Committee member is certified under the National Association of Corporate Directors Certificate in Cyber-Risk Oversight Program.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] We have developed a robust organizational structure to manage and oversee our information technology and cybersecurity programs, including full-time information security associates dedicated to cybersecurity. These individuals possess relevant experience and expertise in cybersecurity and risk management. Our Director, IT Infrastructure & Security leads our information security, data privacy and protection, and information technology compliance programs. The Director stays current with security related topics by either webinars, training classes or cybersecurity conferences. Guided by management, our information technology teams maintain a detailed Cyber Incident Response Plan ("CIRP") and hold frequent meetings to ensure the proper communication and execution of our security controls and procedures. The Cybersecurity team has various expertise ranging in Associate of ISC2-CISSP certification and extensive training on current security products. The Director, IT Infrastructure & Security regularly reports to the Vice President of Information Technology and maintains ongoing dialog with the reporting structure to our CEO, CFO and COO, and Board of Directors regarding our information security programs. This reporting includes updates on matters evaluated under our CIRP, the current threat landscape, cybersecurity initiatives, and the effectiveness of our cybersecurity programs.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our Vice President of Information Technology has more than 35 years working as an IT professional, 13 years of which has been at the Company in various roles such as, Programming, Business Analysis, Systems Analysis, Operations, EDI Manager, and Applications Director.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true