|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Feb. 01, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Our cybersecurity program is based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and applies, as appropriate, to the Company’s internal and external information systems, applications, networks, and operations. We conduct scanning, testing, and assessments designed to identify risks from cybersecurity threats, assess controls, and calibrate planning in response to rapidly evolving cybersecurity risks, and use the results from this testing to adjust our cybersecurity program roadmap to mitigate cybersecurity risks as they evolve. Our internal audit team performs audits on various aspects of cybersecurity and reports the results of these audits in its quarterly reports to management, the Cyber Security Committee, and the Audit Committee. Our internal auditors assess the sufficiency of security controls for relevant systems. Leaders from our risk management and internal audit teams administer our enterprise risk management program, which is designed to identify, assess and manage our top enterprise risks, including risks arising from cybersecurity threats.
We employ a risk-based approach to secure access to our networks, systems, and applications by partners and vendors. We have implemented risk assessment processes for partners and vendors receiving access to our environment and data. Our partners and vendors with whom we share information to conduct our business are required to safeguard it by appropriate means, including elevated contractual commitments when appropriate. We provide cybersecurity training to our team members during onboarding and regularly thereafter. We maintain a software vulnerability management program supported by internal personnel and third-party service providers. We deploy technologies to automate and enhance our operational security capabilities. We also use third-party managed security services to augment our cybersecurity team’s capabilities.
We have adopted and maintain a Cyber Security Incident Response Plan (the “CSIRP”) to provide a standardized framework for responding to cybersecurity incidents. The CSIRP is a coordinated approach to investigate, contain, mitigate, and document cybersecurity incidents, including reporting and escalating findings as appropriate (including to the crisis management team). We also periodically engage external assessors, consultants, Payment Card Industry-Data Security Standards (PCI-DSS) auditors, or other third parties to assist with our cybersecurity program. When appropriate, we engage forensic investigators and legal counsel to investigate cybersecurity threats and incidents.Based on the information available to us as of the date of this Annual Report, we believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition, and as of the date of this Annual Report, we are not aware of any material risks from cybersecurity threats that are reasonably likely to do so. However, we cannot eliminate all risks from cybersecurity threats or provide assurances that the Company will not be materially affected by such risks in the future. Due to evolving cybersecurity threats, despite our security measures, we may not able to anticipate, prevent, and stop future cybersecurity incidents, including attacks to our information systems and data and those of our partners. Additional information on cybersecurity risks we face is discussed in Item 1A of Part I, “Risk Factors”, which should be read in conjunction with the foregoing.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The security of our information systems and data is critical to our business as a retailer, and we devote significant resources to protecting our information systems and data. We continue to invest in people, technology, and processes to protect data and systems against evolving cybersecurity threats. We have implemented a cybersecurity program that we believe is reasonably designed to manage risks from cybersecurity threats, including those that may result in adverse effects on the confidentiality, integrity, and availability of our information systems, and impact the security of information we create, maintain, and process on our information systems. Our program is designed to enable us to prevent, monitor, identify, detect, investigate, respond to, mitigate, and report on cybersecurity threats and incidents.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Company has adopted a cross-functional and multi-management level approach to assessing and managing risks arising from cybersecurity threats. The audit committee of our Board of Directors (the “Audit Committee”) oversees the Company’s enterprise risk management program. As part of this oversight, the Audit Committee has primary responsibility for overseeing risks related to cybersecurity, although the full Board of Directors retains ultimate oversight over these risks. Cybersecurity is a standing agenda item of the Audit Committee’s regular quarterly meetings, where the Audit Committee reviews and discusses cybersecurity risks along with the Company’s cybersecurity programs and strategy with management. The Audit Committee receives reports and presentations from our Chief Information Officer (CIO) and our Chief Legal Officer (CLO) at its quarterly meetings on a range of topics, including our cybersecurity program and processes, our information systems, risk identification and mitigation strategies, the evolving cybersecurity threat landscape, regulatory developments, board education, and notable incidents or threats affecting the Company. From time to time between quarterly meetings, our CIO and CLO or other members of management may hold additional cybersecurity-related discussions with the Audit Committee. The Audit Committee regularly reports on its cybersecurity program oversight to the Board of Directors.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The audit committee of our Board of Directors (the “Audit Committee”) oversees the Company’s enterprise risk management program. As part of this oversight, the Audit Committee has primary responsibility for overseeing risks related to cybersecurity, although the full Board of Directors retains ultimate oversight over these risks
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Cybersecurity is a standing agenda item of the Audit Committee’s regular quarterly meetings, where the Audit Committee reviews and discusses cybersecurity risks along with the Company’s cybersecurity programs and strategy with management. The Audit Committee receives reports and presentations from our Chief Information Officer (CIO) and our Chief Legal Officer (CLO) at its quarterly meetings on a range of topics, including our cybersecurity program and processes, our information systems, risk identification and mitigation strategies, the evolving cybersecurity threat landscape, regulatory developments, board education, and notable incidents or threats affecting the Company. From time to time between quarterly meetings, our CIO and CLO or other members of management may hold additional cybersecurity-related discussions with the Audit Committee. The Audit Committee regularly reports on its cybersecurity program oversight to the Board of Directors.
|Cybersecurity Risk Role of Management [Text Block]
|
Our CIO is the primary executive responsible for leading the Company’s cybersecurity risk management program and has over 20 years of experience in various technology-related roles, including responsibilities related to managing information security, developing cybersecurity strategy, and implementing cybersecurity programs. Our cybersecurity team is responsible for the operations of our cybersecurity program, including implementing, monitoring, and maintaining cybersecurity and data protection solutions and practices across the enterprise. The team is led by our Director of IT Security and Compliance (our “Security Director”), who reports to our CIO. Our Security Director has over 20 years of IT experience and over 12 years of cybersecurity experience, and holds a Master of Science in Cybersecurity and Information Assurance. Our cybersecurity team works with our crisis management team and cybersecurity advisors we may engage to respond to and manage the resolution of cybersecurity incidents. Our CIO, Security Director, and cybersecurity team also work closely with our legal team on various aspects of our cybersecurity program.Our Cyber Security Committee, which is chaired by the CIO, and includes the CLO, the Chief Administrative Officer, and the Security Director among other team members, is a management committee chartered to oversee our cybersecurity program. The Cyber Security Committee meets at least quarterly and more frequently as appropriate to review and discuss the Company’s cybersecurity program. Our CIO and Security Director provide reports at each Cyber Security Committee meeting on cybersecurity program matters and initiatives. The Cyber Security Committee reviews any significant cybersecurity threats or incidents reported by the Security Director. The Cyber Security Committee elevates cybersecurity threats and incidents to the Audit Committee, CEO and CFO, Disclosure Committee, and crisis management team, as appropriate. Our Disclosure Committee, a cross-functional group consisting of accounting, legal, finance, investor relations, internal audit, and IT management personnel, is responsible for disclosures concerning material cybersecurity incidents and the Company’s cybersecurity practices.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The audit committee of our Board of Directors (the “Audit Committee”) oversees the Company’s enterprise risk management program. As part of this oversight, the Audit Committee has primary responsibility for overseeing risks related to cybersecurity, although the full Board of Directors retains ultimate oversight over these risks
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CIO is the primary executive responsible for leading the Company’s cybersecurity risk management program and has over 20 years of experience in various technology-related roles, including responsibilities related to managing information security, developing cybersecurity strategy, and implementing cybersecurity programs. Our cybersecurity team is responsible for the operations of our cybersecurity program, including implementing, monitoring, and maintaining cybersecurity and data protection solutions and practices across the enterprise. The team is led by our Director of IT Security and Compliance (our “Security Director”), who reports to our CIO. Our Security Director has over 20 years of IT experience and over 12 years of cybersecurity experience, and holds a Master of Science in Cybersecurity and Information Assurance.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Cybersecurity is a standing agenda item of the Audit Committee’s regular quarterly meetings, where the Audit Committee reviews and discusses cybersecurity risks along with the Company’s cybersecurity programs and strategy with management. The Audit Committee receives reports and presentations from our Chief Information Officer (CIO) and our Chief Legal Officer (CLO) at its quarterly meetings on a range of topics, including our cybersecurity program and processes, our information systems, risk identification and mitigation strategies, the evolving cybersecurity threat landscape, regulatory developments, board education, and notable incidents or threats affecting the Company. From time to time between quarterly meetings, our CIO and CLO or other members of management may hold additional cybersecurity-related discussions with the Audit Committee. The Audit Committee regularly reports on its cybersecurity program oversight to the Board of Directors.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef