|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Feb. 01, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Nordstrom understands that establishing, executing and sustaining effective cybersecurity measures to secure our information systems and preserve the confidentiality, integrity and availability of our data is critical to the success of the business.
Management of Material Risks and Integrated Overall Risk Management
Our comprehensive risk management framework is intended to strategically incorporate cybersecurity risk management across the company, with the objective of ensuring that cybersecurity considerations underpin the decision-making processes at all organizational levels. Our risk management team collaborates closely across various Enterprise-wide business units to continually assess and address identified cybersecurity risks in alignment with business objectives. The CTIO regularly updates the Chief Financial Officer and Chief Executive Officer on material cybersecurity risks and events.
Engagement with Third Parties on Management of Cybersecurity Risk
Recognizing the dynamic nature of cybersecurity threats, Nordstrom collaborates with external experts, including assessors, consultants and examiners, to evaluate and test our cybersecurity risk preparedness. Regular exams, threat assessments and consultation on security enhancements with these third parties ensure that our cybersecurity strategies align with industry best practices.
Oversight of Third-party Risk
In the course of our business, we regularly exchange data and information with certain third parties in various ways, exposing us to risk related to the cybersecurity posture of and information management practices of those third parties. To try to mitigate this risk, we have implemented processes that may, depending upon the nature of the relationship with the third party, require security assessments and data integration design reviews prior to allowing our systems to connect with theirs. In addition, we seek to require these third parties to adhere to pre-established cybersecurity standards. Where applicable, we try to obtain contractual commitments with those third parties to ensure these security requirements are met.
Risks from Cybersecurity Threats
Nordstrom has not experienced any cybersecurity incident that has materially impacted, or that is reasonably likely to materially impact, our operations, financial condition or cash flows.
Cybersecurity Risk Management Personnel
Primary responsibility for assessing, monitoring, mitigating and managing our cybersecurity risks rests with our information security organization, currently led by our CTIO. The CTIO has over 25 years of experience leading technology teams in retail and in many highly regulated industries including Healthcare, Pharmaceuticals and Financial Services. Our CTIO supports a skilled information security organization that brings expertise in vulnerability management, incident response, penetration testing, regulatory compliance and other critical information security domains. Our information security team maintains certifications from recognized external security authorities such as ISC2, CompTIA, ISACA, GIAC, SANS, PCI and OffSec. The security program is assessed annually by a reputable third party to provide guidance for continuous improvement.
Monitoring and Responding to Cybersecurity Incidents
The security organization stays informed about the latest developments in cybersecurity, implements processes for regular monitoring of information systems and deploys relevant security measures. In the event of a cybersecurity incident, a formal incident response plan is in place for immediate actions and long-term strategies.
Board of Directors Oversight
The Board of Directors has oversight responsibilities regarding cybersecurity risk. At regularly scheduled meetings (at least quarterly), in addition to such additional interactions as may be necessary in specific circumstances, our Chief Executive Officer and CTIO update the Board on emerging cybersecurity risks and developments impacting Nordstrom.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Management of Material Risks and Integrated Overall Risk Management
Our comprehensive risk management framework is intended to strategically incorporate cybersecurity risk management across the company, with the objective of ensuring that cybersecurity considerations underpin the decision-making processes at all organizational levels. Our risk management team collaborates closely across various Enterprise-wide business units to continually assess and address identified cybersecurity risks in alignment with business objectives. The CTIO regularly updates the Chief Financial Officer and Chief Executive Officer on material cybersecurity risks and events.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board of Directors Oversight
The Board of Directors has oversight responsibilities regarding cybersecurity risk. At regularly scheduled meetings (at least quarterly), in addition to such additional interactions as may be necessary in specific circumstances, our Chief Executive Officer and CTIO update the Board on emerging cybersecurity risks and developments impacting Nordstrom.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board of Directors has oversight responsibilities regarding cybersecurity risk.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|At regularly scheduled meetings (at least quarterly), in addition to such additional interactions as may be necessary in specific circumstances, our Chief Executive Officer and CTIO update the Board on emerging cybersecurity risks and developments impacting Nordstrom.
|Cybersecurity Risk Role of Management [Text Block]
|
Monitoring and Responding to Cybersecurity Incidents
The security organization stays informed about the latest developments in cybersecurity, implements processes for regular monitoring of information systems and deploys relevant security measures. In the event of a cybersecurity incident, a formal incident response plan is in place for immediate actions and long-term strategies.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Primary responsibility for assessing, monitoring, mitigating and managing our cybersecurity risks rests with our information security organization, currently led by our CTIO. The CTIO has over 25 years of experience leading technology teams in retail and in many highly regulated industries including Healthcare, Pharmaceuticals and Financial Services. Our CTIO supports a skilled information security organization that brings expertise in vulnerability management, incident response, penetration testing, regulatory compliance and other critical information security domains. Our information security team maintains certifications from recognized external security authorities such as ISC2, CompTIA, ISACA, GIAC, SANS, PCI and OffSec. The security program is assessed annually by a reputable third party to provide guidance for continuous improvement.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CTIO has over 25 years of experience leading technology teams in retail and in many highly regulated industries including Healthcare, Pharmaceuticals and Financial Services. Our CTIO supports a skilled information security organization that brings expertise in vulnerability management, incident response, penetration testing, regulatory compliance and other critical information security domains. Our information security team maintains certifications from recognized external security authorities such as ISC2, CompTIA, ISACA, GIAC, SANS, PCI and OffSec.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The CTIO regularly updates the Chief Financial Officer and Chief Executive Officer on material cybersecurity risks and events.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef