|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Feb. 02, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Our business operations and relationships with customers and suppliers are heavily reliant on technology. We operate a cybersecurity program designed to assess our security risks and threats, to manage those risks and protect our technology systems and data, and to detect and respond to cybersecurity incidents.
We manage strategic risks, including cybersecurity risk, through our Enterprise Risk Management program which has direct involvement from the board of directors, the audit committee, and senior management. Through this process, we have identified cybersecurity as a risk management priority.
We utilize third-party service providers as a normal part of our business operations. To address cybersecurity risks arising from our relationships with third-party service providers, we employ a vendor risk program. We monitor risks relating to potential compromises of sensitive information at our third-party service providers and re-evaluate the risks associated with our partners periodically. Prior to exchanging our data with third-party service providers, they are required to go through a vendor risk assessment. We also conduct third-party security reviews and evaluate their network, processes, and systems. In addition, we obtain annual attestation reports related to data security and privacy from certain third-party service providers to further support compliance with industry-standard cybersecurity protocols.As of the date of this annual report, we are not aware of any cybersecurity incidents that have had a material impact on our business. However, like many companies, we continue to face ongoing cyber threats, including phishing and other unauthorized access attempts, which if successful could have a material impact in the future. For more information, see “Risks related to information security and technology” included in Item 1A. Risk Factors of this annual report.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We manage strategic risks, including cybersecurity risk, through our Enterprise Risk Management program which has direct involvement from the board of directors, the audit committee, and senior management. Through this process, we have identified cybersecurity as a risk management priority.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our board of directors is responsible for the oversight of cybersecurity risks and has delegated primary responsibility to the audit committee, which is responsible for overseeing our enterprise risk assessments and management policies, procedures, and practices (including regarding those risks related to information security, cybersecurity, and data protection).
The audit committee maintains a cybersecurity sub-committee that is comprised of our EVP, Chief Information Officer ("CIO"), our SVP, Chief Information Security Officer ("CISO"), and representatives from the audit committee and board of directors that have knowledge and experience in cybersecurity matters. The cybersecurity sub-committee reviews our cybersecurity risk assessments and the steps being taken to monitor, control, and report on those risks as well as discusses regulatory and market developments. They also review our process for identifying and responding to cybersecurity incidents in a timely manner, and details of cybersecurity attacks or incidents which have occurred.
Management generally meets with, and provides reports to, the cybersecurity sub-committee on a quarterly basis. Our CIO and CISO also meet with and provide reports to the audit committee at least quarterly. The board of directors receives periodic reports regarding the activities of the cybersecurity sub-committee. These reports and meetings are designed to inform the board of directors and committees about the current state of our information security program including cybersecurity risks, the nature, timing, and extent of cybersecurity incidents, if any, and the resolution of such matters.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our board of directors is responsible for the oversight of cybersecurity risks and has delegated primary responsibility to the audit committee, which is responsible for overseeing our enterprise risk assessments and management policies, procedures, and practices (including regarding those risks related to information security, cybersecurity, and data protection).
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Management generally meets with, and provides reports to, the cybersecurity sub-committee on a quarterly basis. Our CIO and CISO also meet with and provide reports to the audit committee at least quarterly. The board of directors receives periodic reports regarding the activities of the cybersecurity sub-committee. These reports and meetings are designed to inform the board of directors and committees about the current state of our information security program including cybersecurity risks, the nature, timing, and extent of cybersecurity incidents, if any, and the resolution of such matters.
|Cybersecurity Risk Role of Management [Text Block]
|
Our CISO is responsible for our cybersecurity program, including risk assessments, information security activities, and controls. The CISO is responsible for establishing and maintaining corporate information security policies and overseeing our risk management activities, which prioritize vulnerability management, risk reduction, and prevention. Our CISO also leads our Cyber Defense and Incident Response (“CDIR”) team which identifies, assesses, escalates, and remediates cybersecurity incidents. Our CISO has over 30 years of experience in the field of cybersecurity, bringing an extensive understanding of cybersecurity threats, regulatory compliance, and industry best practices.
The CDIR team monitors and manages key cybersecurity risks, including threats related to third parties, cloud security, malicious code, e-commerce systems, and store technology. It also conducts security reviews, assesses vulnerabilities, and analyzes threat intelligence to strengthen our cyber defenses and incident response efforts.
As part of our cybersecurity program, we conduct cybersecurity awareness training including phishing simulations and supplemental campaigns as well as mandatory e-learning for all our employees. Our employees have multiple mechanisms for reporting cybersecurity and data privacy concerns. We work with third-party cybersecurity advisors to undertake assessments of our critical systems and to remediate any high-risk vulnerabilities identified. We also engage third parties to perform penetration testing on our key systems to identify potential weaknesses.As part of our cyber incident response plan, we utilize an established framework to assess the severity of cybersecurity incidents. Under the plan, incidents are escalated to relevant senior management, and the board of directors, as appropriate, based on their severity. Our disclosure committee assesses the materiality of severe incidents including both quantitative and qualitative factors.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our CISO is responsible for our cybersecurity program, including risk assessments, information security activities, and controls. The CISO is responsible for establishing and maintaining corporate information security policies and overseeing our risk management activities, which prioritize vulnerability management, risk reduction, and prevention. Our CISO also leads our Cyber Defense and Incident Response (“CDIR”) team which identifies, assesses, escalates, and remediates cybersecurity incidents.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO has over 30 years of experience in the field of cybersecurity, bringing an extensive understanding of cybersecurity threats, regulatory compliance, and industry best practices.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our CISO is responsible for our cybersecurity program, including risk assessments, information security activities, and controls. The CISO is responsible for establishing and maintaining corporate information security policies and overseeing our risk management activities, which prioritize vulnerability management, risk reduction, and prevention. Our CISO also leads our Cyber Defense and Incident Response (“CDIR”) team which identifies, assesses, escalates, and remediates cybersecurity incidents. Our CISO has over 30 years of experience in the field of cybersecurity, bringing an extensive understanding of cybersecurity threats, regulatory compliance, and industry best practices.
The CDIR team monitors and manages key cybersecurity risks, including threats related to third parties, cloud security, malicious code, e-commerce systems, and store technology. It also conducts security reviews, assesses vulnerabilities, and analyzes threat intelligence to strengthen our cyber defenses and incident response efforts.
As part of our cybersecurity program, we conduct cybersecurity awareness training including phishing simulations and supplemental campaigns as well as mandatory e-learning for all our employees. Our employees have multiple mechanisms for reporting cybersecurity and data privacy concerns. We work with third-party cybersecurity advisors to undertake assessments of our critical systems and to remediate any high-risk vulnerabilities identified. We also engage third parties to perform penetration testing on our key systems to identify potential weaknesses.As part of our cyber incident response plan, we utilize an established framework to assess the severity of cybersecurity incidents. Under the plan, incidents are escalated to relevant senior management, and the board of directors, as appropriate, based on their severity. Our disclosure committee assesses the materiality of severe incidents including both quantitative and qualitative factors.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef