|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Feb. 01, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Safeguarding our information systems as well as the information that we receive and store about our customers, employees, vendors, and others is a priority for Gap Inc. We maintain a cybersecurity program with technical and organizational safeguards that is designed to identify, assess, manage, mitigate, and respond to cybersecurity threats, including threats associated with the use of third-party systems. The program leverages our overall enterprise risk management and business continuity planning processes. Cybersecurity risk management processes are also embedded within our operating procedures, internal controls, and information systems.
Annually, employees receive cybersecurity training, and we provide additional targeted cybersecurity awareness and education activities throughout the year. In partnership with external consultants, we periodically conduct “tabletop” exercises with management, our Board and members of our Information Security, Information Technology, and Privacy teams during which we simulate real-life cybersecurity incident scenarios to assess our preparedness, test our incident response plan and highlight potential areas for improvement. Audits of our cybersecurity risk management processes are conducted periodically in order to test the effectiveness of controls designed to prevent and respond to cyberattacks at different levels within Gap Inc. In addition, we maintain cybersecurity risk insurance.
Our Information Security and Information Technology teams manage and monitor our cybersecurity environment. These teams track cybersecurity incidents across Gap Inc., our vendors and third-party service providers to remediate and resolve incidents. Incidents are escalated as appropriate based on a risk assessment framework, including as needed to senior management. Gap Inc.’s Privacy team is involved to the extent data privacy concerns are implicated. We maintain an incident response plan to coordinate activities taken to respond to and remediate cybersecurity incidents. We consult with outside counsel as appropriate, including on materiality
analysis and disclosure matters, and senior management makes final materiality determination and disclosure decisions.
Our cybersecurity risk management processes are based on industry-recognized standards. We partner with leading cybersecurity companies to leverage third-party technology and expertise, and we engage with these partners to support monitoring and maintaining the performance and effectiveness of controls implemented in our environment.To date, our business strategy, results of operations, and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity-related risks, see “Risks Related to Information Security and Technology” in Item 1A, Risk Factors, of this Form 10-K.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Safeguarding our information systems as well as the information that we receive and store about our customers, employees, vendors, and others is a priority for Gap Inc. We maintain a cybersecurity program with technical and organizational safeguards that is designed to identify, assess, manage, mitigate, and respond to cybersecurity threats, including threats associated with the use of third-party systems. The program leverages our overall enterprise risk management and business continuity planning processes. Cybersecurity risk management processes are also embedded within our operating procedures, internal controls, and information systems.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Gap Inc.’s Chief Information Security Officer (“CISO”) oversees the cybersecurity program. The CISO reports to the Chief Technology Officer (“CTO”) and is responsible for assessing and maintaining the Company’s cybersecurity risk management processes. The CISO informs senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents. The CISO, CTO, and members of the Information Security, Information Technology, and Privacy teams have broad experience and expertise in selecting, deploying, and operating cybersecurity technologies, initiatives and processes around the world. Our CISO has nearly 25 years of experience in the information security and information technology fields. Our CTO has nearly 35 years of experience in these fields, including in technology leadership roles for large companies across multiple industries.
Our Board understands the importance of maintaining a robust and effective cybersecurity program. The Audit and Finance Committee of the Board oversees the Company’s cybersecurity program as well as risk exposures and steps taken by management to monitor and mitigate cybersecurity risks. The CISO provides a quarterly update on the cybersecurity program, on an alternating basis to the Audit and Finance Committee or the full Board.
Our Internal Audit department facilitates an annual enterprise risk assessment ("ERA") that is designed to gather information regarding key enterprise risks, emerging risks, and critical risk events that could impact our objectives and strategies. The Internal Audit department partners with our Information Security, Information Technology, and Privacy teams to gather information about risks related to cybersecurity threats. The ERA is presented to the Board and provides the foundation for the annual Internal Audit plan, management’s monitoring and risk mitigation efforts, and ongoing Board-level oversight. On a quarterly basis, Gap Inc.’s Chief Audit Executive updates the Audit and Finance Committee on the Internal Audit plan. The Audit and Finance Committee also reviews updates to the Company’s enterprise risk profile, including identified cybersecurity risks, throughout the year. Additionally, key third-party dependencies are monitored as part of our overall business continuity planning, with the Audit and Finance Committee receiving periodic updates.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board understands the importance of maintaining a robust and effective cybersecurity program. The Audit and Finance Committee of the Board oversees the Company’s cybersecurity program as well as risk exposures and steps taken by management to monitor and mitigate cybersecurity risks.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our Internal Audit department facilitates an annual enterprise risk assessment ("ERA") that is designed to gather information regarding key enterprise risks, emerging risks, and critical risk events that could impact our objectives and strategies. The Internal Audit department partners with our Information Security, Information Technology, and Privacy teams to gather information about risks related to cybersecurity threats. The ERA is presented to the Board and provides the foundation for the annual Internal Audit plan, management’s monitoring and risk mitigation efforts, and ongoing Board-level oversight. On a quarterly basis, Gap Inc.’s Chief Audit Executive updates the Audit and Finance Committee on the Internal Audit plan. The Audit and Finance Committee also reviews updates to the Company’s enterprise risk profile, including identified cybersecurity risks, throughout the year. Additionally, key third-party dependencies are monitored as part of our overall business continuity planning, with the Audit and Finance Committee receiving periodic updates.
|Cybersecurity Risk Role of Management [Text Block]
|
Our Information Security and Information Technology teams manage and monitor our cybersecurity environment. These teams track cybersecurity incidents across Gap Inc., our vendors and third-party service providers to remediate and resolve incidents. Incidents are escalated as appropriate based on a risk assessment framework, including as needed to senior management. Gap Inc.’s Privacy team is involved to the extent data privacy concerns are implicated. We maintain an incident response plan to coordinate activities taken to respond to and remediate cybersecurity incidents. We consult with outside counsel as appropriate, including on materialityanalysis and disclosure matters, and senior management makes final materiality determination and disclosure decisions.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Audit and Finance Committee of the Board oversees the Company’s cybersecurity program as well as risk exposures and steps taken by management to monitor and mitigate cybersecurity risks
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CISO, CTO, and members of the Information Security, Information Technology, and Privacy teams have broad experience and expertise in selecting, deploying, and operating cybersecurity technologies, initiatives and processes around the world. Our CISO has nearly 25 years of experience in the information security and information technology fields. Our CTO has nearly 35 years of experience in these fields, including in technology leadership roles for large companies across multiple industries.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our Information Security and Information Technology teams manage and monitor our cybersecurity environment. These teams track cybersecurity incidents across Gap Inc., our vendors and third-party service providers to remediate and resolve incidents. Incidents are escalated as appropriate based on a risk assessment framework, including as needed to senior management. Gap Inc.’s Privacy team is involved to the extent data privacy concerns are implicated. We maintain an incident response plan to coordinate activities taken to respond to and remediate cybersecurity incidents.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef