Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy

We are committed to protecting our customer and employee data. We employ a defense-in-depth cybersecurity strategy leveraging industry frameworks that feature a prioritized set of robust controls that encompass people, processes and technologies. Our Chief Information Officer (“CIO”) is responsible for the execution of our cybersecurity strategy. Our CIO has over 25 years of retail industry experience developing and implementing information technology strategies and leading cybersecurity programs. The CIO is supported by a team of highly qualified professionals, many of which hold cybersecurity certifications.

The Company’s cybersecurity policies, standards and processes are integrated into the Company’s overall risk management program, and cybersecurity risks are regularly evaluated in the context of material risks to the Company. We regularly engage with outside experts to assess the maturity of our organizational security program and to inform our short- and long-term cybersecurity strategy.

We maintain a comprehensive cybersecurity program designed to protect the confidentiality, integrity, and availability of our data, systems, and networks. Our security framework is based on a defense-in-depth strategy, employing multiple layers of security controls to mitigate risks associated with cyber threats. Key components of the Information Security Program include:

●

Network and Endpoint Security: Firewalls, intrusion prevention systems, endpoint detection and response solutions, and monitoring and alerting.

●

Access Controls and Authentication: Multi-factor authentication, least-privilege access principles, role-based access controls and privileged identity management.

●

Data Protection: Encryption of sensitive data in transit and at rest, data loss prevention tools, data classification and labeling, and secure backup solutions.

●

Incident Response: An incident response plan aligned with industry-best practices and a framework for evaluating the materiality of the incident for disclosure and reporting purposes.

●

Compliance and Governance: Adherence to regulatory requirements, third-party risk management and routine security audits.

●

Security Awareness and Training: Regular employee training, phishing simulations and a Cybersecurity Ambassador program.

We leverage our information sharing relationship with the Federal Bureau of Investigation, Cybersecurity and Infrastructure Agency and local law enforcement, as well as additional threat intelligence information, to continuously assess and enhance our cybersecurity posture to address emerging threats and minimize potential impacts on our operations, customers and stakeholders.

Cybersecurity Risk Management Processes Integrated [Text Block]

The Company’s cybersecurity policies, standards and processes are integrated into the Company’s overall risk management program, and cybersecurity risks are regularly evaluated in the context of material risks to the Company. We regularly engage with outside experts to assess the maturity of our organizational security program and to inform our short- and long-term cybersecurity strategy.

We maintain a comprehensive cybersecurity program designed to protect the confidentiality, integrity, and availability of our data, systems, and networks. Our security framework is based on a defense-in-depth strategy, employing multiple layers of security controls to mitigate risks associated with cyber threats. Key components of the Information Security Program include:

●

Network and Endpoint Security: Firewalls, intrusion prevention systems, endpoint detection and response solutions, and monitoring and alerting.

●

Access Controls and Authentication: Multi-factor authentication, least-privilege access principles, role-based access controls and privileged identity management.

●

Data Protection: Encryption of sensitive data in transit and at rest, data loss prevention tools, data classification and labeling, and secure backup solutions.

●

Incident Response: An incident response plan aligned with industry-best practices and a framework for evaluating the materiality of the incident for disclosure and reporting purposes.

●

Compliance and Governance: Adherence to regulatory requirements, third-party risk management and routine security audits.

●

Security Awareness and Training: Regular employee training, phishing simulations and a Cybersecurity Ambassador program.

We leverage our information sharing relationship with the Federal Bureau of Investigation, Cybersecurity and Infrastructure Agency and local law enforcement, as well as additional threat intelligence information, to continuously assess and enhance our cybersecurity posture to address emerging threats and minimize potential impacts on our operations, customers and stakeholders.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

The Audit Committee of our Board of Directors is responsible for oversight of our cybersecurity program. In addition, the Technology and Digital Commerce Committee, which was established in 2022, assists the Board of Directors with its oversight responsibilities regarding the role of technology, data, digital commerce and the Company’s ability to understand and connect with its consumers in executing the Company’s strategies, business plans and operational requirements.

On a quarterly basis, our CIO updates the Audit Committee on the Company’s cybersecurity program, including, among other items, actual events or incidents, results of vulnerability assessments and penetration testing.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Audit Committee of our Board of Directors is responsible for oversight of our cybersecurity program. In addition, the Technology and Digital Commerce Committee, which was established in 2022, assists the Board of Directors with its oversight responsibilities regarding the role of technology, data, digital commerce and the Company’s ability to understand and connect with its consumers in executing the Company’s strategies, business plans and operational requirements.

On a quarterly basis, our CIO updates the Audit Committee on the Company’s cybersecurity program, including, among other items, actual events or incidents, results of vulnerability assessments and penetration testing.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our CIO has over 25 years of retail industry experience developing and implementing information technology strategies and leading cybersecurity programs. The CIO is supported by a team of highly qualified professionals, many of which hold cybersecurity certifications.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true