|
Disclosure - Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Sep. 30, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 1C. CYBERSECURITY
Risk Management Strategies
Our Company is committed to protecting the privacy and security of customer information and the integrity of our information technology systems. We have developed and implemented a cybersecurity risk management program (“Cybersecurity Program”) that is tailored to address specific risks in the retail industry, using a flexible approach informed by our deep understanding of attacker methodologies, targeted assets, and industry best practices. The Cybersecurity Program is intended to protect the confidentiality, availability, and integrity of our information and critical systems by continually monitoring, assessing, identifying, and mitigating cybersecurity risks. The Cybersecurity Program is part of our integrated risk management process and includes, but is not limited to, the following features:
•
Regularly simulated phishing attacks and comprehensive cybersecurity training for all employees, with special focus on high-risk individuals using a new security awareness platform.
•
Cybersecurity insurance coverage to mitigate financial impacts from potential cyber incidents.
•
Endpoint detection and response technologies (EDR) to monitor systems continuously for malicious activity.
•
Behavior analytics tools that help track normal behavior patterns and quickly detect any anomalies.
•
Cloud security measures, offering comprehensive protection and vulnerability management for our cloud environments.
•
Digital risk protection that includes brand protection, social media monitoring, dark web surveillance, and proactive response to phishing, fraud, and account takeovers.
•
Zero-day vulnerability management, with third-party monitoring to prioritize critical vulnerabilities based on real-time risk assessments and active exploitation.
•
Comprehensive vendor risk management program, including penetration tests, Service Organization Control (“SOC”) reports, and security architecture reviews, especially for third parties managing sensitive data or accessing internal systems.
In addition, we have a written cybersecurity incident response plan (“Response Plan”) that is reviewed and updated, if necessary, at least annually. The Response Plan includes a cross-functional incident response team comprised of various key executive representatives from different departments in our organization, such as our Chief Information Security Officer (“CISO”) and General Counsel, that are tasked with assessing the scope, nature, and potential impact of incidents. Findings are reported to the Chief Executive Officer (“CEO”), Chief Financial Officer (“CFO”), our
Board and the Disclosure Committee, the latter of which is comprised of senior representatives from our finance, accounting, internal audit and legal departments under the supervision of the CEO and CFO.
We also regularly engage third parties to perform assessments on the Cybersecurity Program, including an annual self-assessed risk review facilitated by an independent third party, where we evaluate various cybersecurity domains and control areas and benchmark our program against industry peers. Additionally, we conduct annual third-party penetration tests focused on our highest-risk areas globally, providing insights into potential vulnerabilities. These assessments are supplemented by red team exercises and real-world incident response simulations to continually improve our security posture.
From time to time, we experience cybersecurity threats and incidents. As of the date of this Annual Report, we have not identified any instances that have occurred in the current year, or in prior years, that would have a material impact on our Company or on our results of operations, or financial position. For more information related to our cybersecurity risks, see Item 1A. “Risk Factors–Regulatory, Legal, and Cybersecurity Risks” within this Annual Report.
Governance
Our Board understands the critical importance of managing evolving risks associated with cybersecurity threats. The Board has responsibility for overseeing risks related to the cybersecurity threat landscape, including data protection and security breach readiness. Our CISO reports directly to the Chief Information Officer and is responsible for the operation of our Cybersecurity Program. Our CISO brings over 25 years of experience in information security, including more than 10 years as a Chief Information Security Officer in the retail industry. With a diverse background in both industry and consulting, our CISO has led major security programs, implementing practical strategies to protect critical data and systems.
On at least a quarterly basis, the CISO delivers a detailed report to the full Board on data protection and cybersecurity matters. Topics covered by these reports include, but are not limited to, risk identification and management strategies, cybersecurity strategy and governance structure, consumer data protection, the Company’s ongoing risk mitigation activities, learnings from data security incidents of peer companies, results of third-party assessments and testing, updates on annual associate training and other specific training initiatives.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our Company is committed to protecting the privacy and security of customer information and the integrity of our information technology systems. We have developed and implemented a cybersecurity risk management program (“Cybersecurity Program”) that is tailored to address specific risks in the retail industry, using a flexible approach informed by our deep understanding of attacker methodologies, targeted assets, and industry best practices. The Cybersecurity Program is intended to protect the confidentiality, availability, and integrity of our information and critical systems by continually monitoring, assessing, identifying, and mitigating cybersecurity risks. The Cybersecurity Program is part of our integrated risk management process
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board understands the critical importance of managing evolving risks associated with cybersecurity threats. The Board has responsibility for overseeing risks related to the cybersecurity threat landscape, including data protection and security breach readiness. Our CISO reports directly to the Chief Information Officer and is responsible for the operation of our Cybersecurity Program. Our CISO brings over 25 years of experience in information security, including more than 10 years as a Chief Information Security Officer in the retail industry. With a diverse background in both industry and consulting, our CISO has led major security programs, implementing practical strategies to protect critical data and systems.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board has responsibility for overseeing risks related to the cybersecurity threat landscape, including data protection and security breach readiness.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our CISO reports directly to the Chief Information Officer and is responsible for the operation of our Cybersecurity Program.
|Cybersecurity Risk Role of Management [Text Block]
|
On at least a quarterly basis, the CISO delivers a detailed report to the full Board on data protection and cybersecurity matters. Topics covered by these reports include, but are not limited to, risk identification and management strategies, cybersecurity strategy and governance structure, consumer data protection, the Company’s ongoing risk mitigation activities, learnings from data security incidents of peer companies, results of third-party assessments and testing, updates on annual associate training and other specific training initiatives.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|On at least a quarterly basis, the CISO delivers a detailed report to the full Board on data protection and cybersecurity matters.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO brings over 25 years of experience in information security, including more than 10 years as a Chief Information Security Officer in the retail industry. With a diverse background in both industry and consulting, our CISO has led major security programs, implementing practical strategies to protect critical data and systems.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Topics covered by these reports include, but are not limited to, risk identification and management strategies, cybersecurity strategy and governance structure, consumer data protection, the Company’s ongoing risk mitigation activities, learnings from data security incidents of peer companies, results of third-party assessments and testing, updates on annual associate training and other specific training initiatives.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef