XML 49 R30.htm IDEA: XBRL DOCUMENT v3.25.3
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Mar. 31, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
PetMed Express, Inc. (“PetMeds”) and PetCareRx maintains an enterprise-wide cybersecurity program designed to identify, assess, manage, and mitigate information security risks across the organization. Our program encompasses
governance, policy, prevention, detection, incident response, and recovery mechanisms in alignment with industry standards.

Cybersecurity Risk Management and Oversight
Our cybersecurity risk management program is built to protect our systems, data, and customers from a wide range of cyber threats. This includes internal protocols and controls, as well as third-party oversight. Our cybersecurity practices are guided by the National Institute of Standards and Technology (NIST) CSF (Cyber Security Framework), and categorizes cybersecurity tasks into five key functions: identify, protect, detect, respond, and recover. This functional orientation helps organizations make informed decisions about reducing cyberattacks.
Oversight of cybersecurity risk is formally overseen by the Audit Committee of our Board of Directors. The Audit Committee receives regular briefings from management on cybersecurity topics, including strategy, threats, incident trends, remediation activities, and updates on material developments, as appropriate.

Incident Detection and Response

We have implemented an Incident Response Policy and detailed procedures that govern how potential cybersecurity events are identified, escalated, investigated, contained, and remediated. The objectives of our incident response program include:

Timely investigation and validation of incidents
Minimization of data loss or service disruption
Evidence preservation in accordance with legal and regulatory requirements
Restoration of affected systems and services
Post-incident review and implementation of corrective actions
Notification to affected parties and regulators, where appropriate

These procedures are tested and exercised periodically to ensure preparedness and adaptability.

Security Measures and Monitoring

We deploy a layered defense model using widely adopted technologies and internal solutions for threat monitoring, detection, and response. Our efforts include:
Regular system scans, vulnerability assessments, and penetration testing
Ongoing compliance with the Payment Card Industry Data Security Standard (PCI DSS)
Deployment of endpoint detection and response (EDR) tools and real-time monitoring solutions
Secure development practices and controls embedded within our digital transformation initiatives

As we modernize our digital platforms and phase out legacy systems, we are embedding advanced security practices into our infrastructure. This includes improving controls around identity management, access, encryption, and software development life cycles.

Third-Party and Vendor Risk Management
Our vendor and partner management processes include security due diligence, contractually required safeguards, and—in relevant cases—direct review of their cybersecurity practices. We require certain vendors with access to sensitive systems or data to undergo security training or meet specific security certification requirements.

Training and Awareness
Cybersecurity awareness is a foundational element of our risk management approach. We conduct recurring cybersecurity training for employees across the company, with tailored modules that address evolving threat vectors such as phishing, ransomware, and social engineering. Additional targeted training is provided to users in high-risk roles.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Our cybersecurity risk management program is built to protect our systems, data, and customers from a wide range of cyber threats. This includes internal protocols and controls, as well as third-party oversight. Our cybersecurity practices are guided by the National Institute of Standards and Technology (NIST) CSF (Cyber Security Framework), and categorizes cybersecurity tasks into five key functions: identify, protect, detect, respond, and recover. This functional orientation helps organizations make informed decisions about reducing cyberattacks.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] Oversight of cybersecurity risk is formally overseen by the Audit Committee of our Board of Directors.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Oversight of cybersecurity risk is formally overseen by the Audit Committee of our Board of Directors.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee receives regular briefings from management on cybersecurity topics, including strategy, threats, incident trends, remediation activities, and updates on material developments, as appropriate.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true