INFORMATION SECURITY POLICY - GUIDING PRINCIPLES

Purpose

The purpose of this policy is to set out the guiding principles of Guess?, Inc. and Guess Europe SAGL (hereinafter collectively referred to as “Guess”) with respect to protecting the confidentiality, integrity, and availability of information.

Scope

This policy applies to: (i) information processed by or on behalf of Guess, including company business information, vendor information, and employee and customer personal information; and (ii) all employees and third-party users of the Guess information systems, including permanent staff, contractors, consultants, and third parties working for or on behalf of Guess. The principles set forth in this policy are implemented in other written policies issued by Guess.

Security Goals

Guess is committed to implementing the information security strategy described herein by maintaining the confidentiality, integrity, and availability of all physical and digital information assets. This supports the fulfillment of business, regulatory, operational, and contractual requirements.

The international standard ISO/IEC 27001 is used as a guide to establish a robust framework for protecting information assets and supporting the organization’s long-term compliance.

Policy Principles

• Guess takes a proactive approach to assess, identify, and manage cybersecurity risks, enhancing the security of its information systems to safeguard information from potential threats.
• Within the organization, Guess actively promotes security and regulatory compliance practices; it integrates cybersecurity seamlessly into its business agenda, considering it an integral aspect of its operations.
• Guess is dedicated to respecting customer privacy. The organization endeavors to process personal information in accordance with applicable laws while striving to implement effective information protection solutions. This commitment is aimed at delivering the best possible shopping experience.
• Fostering an enterprise-level cybersecurity culture is a priority for Guess. This initiative aims to raise awareness of cybersecurity threats and cultivate healthy cybersecurity habits, effectively reducing risks.
• Recognizing the importance of a robust risk management process, Guess conducts annual cybersecurity risk assessments. These assessments encompass identifying, evaluating, and managing cybersecurity threats, facilitating prompt responses to incidents.

Management Commitment

Guess management recognizes that it is critical to actively promote information security, including defining relevant roles and responsibilities, providing the necessary resources, and communicating the importance of information security.

This commitment ensures that security objectives are aligned with corporate goals and that sufficient resources are allocated to enable the effective implementation and continuous improvement of Guess’s security framework.