VF : Material Cybersecurity Incidents - Form 8-K

8-K

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

FORM 8-K

CURRENT REPORT

PURSUANT TO SECTION 13 OR 15(d)

OF THE SECURITIES EXCHANGE ACT OF 1934

Date of report (Date of earliest event reported): December 15, 2023

V.F. Corporation

(Exact name of registrant as specified in charter)

Pennsylvania		1-5256		23-1180120
(State or Other Jurisdiction of Incorporation)		(Commission File Number)		(IRS Employer Identification No.)

1551 Wewatta Street

Denver, Colorado80202

(Address of principal executive offices)

(720)778-4000

(Registrant's telephone number, including area code)

Check the appropriate box below if the Form 8-Kfiling is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:

☐	Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)

☐	Soliciting material pursuant to Rule 14a-12under the Exchange Act (17 CFR 240.14a-12)

☐	Pre-commencementcommunications pursuant to Rule 14d-2(b)under the Exchange Act (17 CFR 240.14d-2(b))

☐	Pre-commencementcommunications pursuant to Rule 13e-4(c)under the Exchange Act (17 CFR 240.13e-4(c))

Securities registered pursuant to Section 12(b) of the Act:

Title of Each Class		Trading Symbol(s)		Name of Each Exchange on which Registered
Common Stock, without par value, stated capital $.25 per share		VFC		New York Stock Exchange
4.125% Senior Notes due 2026		VFC26		New York Stock Exchange
0.250% Senior Notes due 2028		VFC28		New York Stock Exchange
4.250% Senior Notes due 2029		VFC29		New York Stock Exchange
0.625% Senior Notes due 2032		VFC32		New York Stock Exchange

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2of the Securities Exchange Act of 1934 (§240.12b-2of this chapter).

Emerging growth company ☐

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐

Item 1.05

Material Cybersecurity Incidents.

On December 13, 2023, VF Corporation ("VF" or the "Company") detected unauthorized occurrences on a portion of its information technology (IT) systems. Upon detecting the unauthorized occurrences, the Company immediately began taking steps to contain, assess and remediate the incident, including beginning an investigation with leading external cybersecurity experts, activating its incident response plan, and shutting down some systems. The threat actor disrupted the Company's business operations by encrypting some IT systems, and stole data from the Company, including personal data. The Company is working to bring the impacted portions of its IT systems back online and implement workarounds for certain offline operations with the aim of reducing disruption to its ability to serve its retail and brand e-commerceconsumers and wholesale customers. VF-operated retail stores globally are open, and consumers can purchase available merchandise, but VF is experiencing certain operational disruptions. Consumers are able to place orders on most of the brand e-commerce sites globally, however, the Company's ability to fulfill orders is currently impacted. The Company, along with its external cybersecurity experts, continues to work diligently to respond to and mitigate the impact from the incident, and has notified and is cooperating with federal law enforcement.

As the investigation of the incident is ongoing, the full scope, nature and impact of the incident are not yet known. As of the date of this filing, the incident has had and is reasonably likely to continue to have a material impact on the Company's business operations until recovery efforts are completed. The Company has not yet determined whether the incident is reasonably likely to materially impact the Company's financial condition or results of operations.

Forward-Looking Statements

This Current Report on Form 8-Kcontains "forward-looking statements" within the meaning of the federal securities laws. Forward-looking statements are made based on VF's expectations and beliefs concerning future events impacting VF and therefore involve several risks and uncertainties. Words such as "will," "anticipate," "estimate," "expect," "should," and "may" and other words and terms of similar meaning or use of future dates may be used to identify forward-looking statements, however, the absence of these words or similar expressions does not mean that a statement is not forward-looking. All statements regarding the impact from the cybersecurity incident, the scope of the investigation and the Company's plans, objectives, projections and expectations relating to VF's operations or financial condition, and assumptions related thereto are forward-looking statements. Forward-looking statements are not guarantees and actual results could differ materially from those expressed or implied in the forward-looking statements. VF undertakes no obligation to publicly update or revise any forward-looking statements, whether as a result of new information, future events or otherwise, except as required by law. Potential risks and uncertainties that could cause the actual results of operations or financial condition of VF to differ materially from those expressed or implied by forward-looking statements include, but are not limited to: VF's ongoing assessment of the impacts of the cybersecurity incident; VF's expectations regarding its ability to contain and remediate the cybersecurity incident; further delays in the time required to verify some or all of VF's information technology systems; the impact of the incident on VF's relationships with customers, consumers and employees, VF's business operations, financial condition, results of operations and reputation, and confidence in our e-commerceplatforms; legal, reputational and financial risks resulting from the cybersecurity incident; the effectiveness of business continuity plans and cybersecurity risk management policies during the cybersecurity incident; and that any future, or still undetected, cybersecurity related incident, whether an attack, disruption, intrusion, denial of service, theft or other breach could result in unauthorized access to, or disclosure of, data, resulting in claims, costs and reputational harm that could negatively affect our actual results of operations or financial condition. More information on potential factors that could affect VF's financial results is included from time to time in VF's public reports filed with the SEC, including VF's Annual Report on Form 10-K,and Quarterly Reports on Form 10-Q,and Forms 8-Kfiled or furnished with the SEC.

SIGNATURES

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

V.F. CORPORATION
By:		/s/ Jennifer S. Sim
Name:		Jennifer S. Sim
Title:		Executive Vice President, General Counsel & Secretary

Date: December 18, 2023