XML 38 R23.htm IDEA: XBRL DOCUMENT v3.25.2
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Apr. 30, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] As a part thereof, the Company has implemented an information security program, directly overseen by our CISO, that consists of controls and processes designed to prevent, detect, and manage reasonably foreseeable cybersecurity risks and threats, and which is based on recognized best practices including the National Institute of Standards and Technology ("NIST") Cyber Security Framework ("CSF") and Payment Card Industry Data Security Standard ("PCI DSS"). Our CISO, who has over 39-years of industry experience, and his team, have relevant education and experience assessing and managing cybersecurity programs and cybersecurity risks across a mix of enterprises, including the retail industry. Together with a third-party, the CISO and his team also operate a 24/7 Security Operations Center to monitor the cybersecurity environment and coordinate escalation and remediation of alerts, and we incorporate many other resources to maintain readiness to withstand and respond to a cyber or other data security incident including but not limited to incident response tabletop exercises, system recovery exercises, simulated phishing email exercises and security awareness training.
Our CISO and his team have also developed processes to oversee and identify material cybersecurity risks associated with our use of third-party service providers who access our information technology systems, which includes leveraging our vendor risk management program designed to assess and manage the cybersecurity risks associated with these partnerships. As part of the program, our IT governance, risk and compliance team conduct due diligence as a part of onboarding new vendors and maintain ongoing evaluations to ensure compliance with our security standards.
The Company has a Cybersecurity Incident Response Plan ("the Plan"), which provides protocols and procedures for evaluating and responding to material cybersecurity and other data security incidents, including incident handling, disclosure and reporting, notification to senior management, the Board and relevant committees, and meeting external reporting obligations. As part of the Plan, the Company has also established an Incident Response Governance Team, co-chaired by our CISO and VP, Deputy General Counsel, which is a cross-functional group comprised of relevant stakeholders throughout the organization responsible for organizing the assessment, investigation and response to any material cybersecurity or data security event.
As of the date of this report, no cybersecurity or data security incidents have had, either individually or in the aggregate, a material adverse effect on our business, financial condition or results of operations. Notwithstanding the comprehensive approach we take to information security, there can be no assurance that our security efforts and measures, and those of our third-party service providers, will prevent or mitigate all incidents that could have a material adverse effect on our business, financial condition or results of operations. For additional information regarding the risks to us associated with cybersecurity incidents, see Item 1A entitled "Risk Factors."
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] As a part thereof, the Company has implemented an information security program, directly overseen by our CISO, that consists of controls and processes designed to prevent, detect, and manage reasonably foreseeable cybersecurity risks and threats, and which is based on recognized best practices including the National Institute of Standards and Technology ("NIST") Cyber Security Framework ("CSF") and Payment Card Industry Data Security Standard ("PCI DSS").
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Information security and data privacy have been, and continue to be, vitally important to the Company. Our Board, in coordination with the Audit Committee, provides oversight of the Company’s major information technology risk exposures, including those related to cybersecurity, data privacy and data security, and oversees the steps management has taken to monitor and mitigate such risk exposures. Cybersecurity and related matters are recurring topics at Audit Committee meetings and the Company’s Chief Information Officer ("CIO") and Chief Information Security Officer ("CISO") regularly provide the Audit Committee, and periodically the entire Board, with updates on the Company’s cybersecurity risk profile and strategy. These updates include both qualitative and quantitative information on the effectiveness of the Company’s cybersecurity controls.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Board, in coordination with the Audit Committee, provides oversight of the Company’s major information technology risk exposures, including those related to cybersecurity, data privacy and data security, and oversees the steps management has taken to monitor and mitigate such risk exposures.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Cybersecurity and related matters are recurring topics at Audit Committee meetings and the Company’s Chief Information Officer ("CIO") and Chief Information Security Officer ("CISO") regularly provide the Audit Committee, and periodically the entire Board, with updates on the Company’s cybersecurity risk profile and strategy. These updates include both qualitative and quantitative information on the effectiveness of the Company’s cybersecurity controls.
Cybersecurity Risk Role of Management [Text Block]
Our CIO is responsible for the strategic leadership and direction of the Company’s information technology organization. As a part thereof, the Company has implemented an information security program, directly overseen by our CISO, that consists of controls and processes designed to prevent, detect, and manage reasonably foreseeable cybersecurity risks and threats, and which is based on recognized best practices including the National Institute of Standards and Technology ("NIST") Cyber Security Framework ("CSF") and Payment Card Industry Data Security Standard ("PCI DSS"). Our CISO, who has over 39-years of industry experience, and his team, have relevant education and experience assessing and managing cybersecurity programs and cybersecurity risks across a mix of enterprises, including the retail industry. Together with a third-party, the CISO and his team also operate a 24/7 Security Operations Center to monitor the cybersecurity environment and coordinate escalation and remediation of alerts, and we incorporate many other resources to maintain readiness to withstand and respond to a cyber or other data security incident including but not limited to incident response tabletop exercises, system recovery exercises, simulated phishing email exercises and security awareness training.
Our CISO and his team have also developed processes to oversee and identify material cybersecurity risks associated with our use of third-party service providers who access our information technology systems, which includes leveraging our vendor risk management program designed to assess and manage the cybersecurity risks associated with these partnerships. As part of the program, our IT governance, risk and compliance team conduct due diligence as a part of onboarding new vendors and maintain ongoing evaluations to ensure compliance with our security standards.
The Company has a Cybersecurity Incident Response Plan ("the Plan"), which provides protocols and procedures for evaluating and responding to material cybersecurity and other data security incidents, including incident handling, disclosure and reporting, notification to senior management, the Board and relevant committees, and meeting external reporting obligations. As part of the Plan, the Company has also established an Incident Response Governance Team, co-chaired by our CISO and VP, Deputy General Counsel, which is a cross-functional group comprised of relevant stakeholders throughout the organization responsible for organizing the assessment, investigation and response to any material cybersecurity or data security event.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
Our CIO is responsible for the strategic leadership and direction of the Company’s information technology organization. As a part thereof, the Company has implemented an information security program, directly overseen by our CISO, that consists of controls and processes designed to prevent, detect, and manage reasonably foreseeable cybersecurity risks and threats, and which is based on recognized best practices including the National Institute of Standards and Technology ("NIST") Cyber Security Framework ("CSF") and Payment Card Industry Data Security Standard ("PCI DSS"). Our CISO, who has over 39-years of industry experience, and his team, have relevant education and experience assessing and managing cybersecurity programs and cybersecurity risks across a mix of enterprises, including the retail industry. Together with a third-party, the CISO and his team also operate a 24/7 Security Operations Center to monitor the cybersecurity environment and coordinate escalation and remediation of alerts, and we incorporate many other resources to maintain readiness to withstand and respond to a cyber or other data security incident including but not limited to incident response tabletop exercises, system recovery exercises, simulated phishing email exercises and security awareness training.
Our CISO and his team have also developed processes to oversee and identify material cybersecurity risks associated with our use of third-party service providers who access our information technology systems, which includes leveraging our vendor risk management program designed to assess and manage the cybersecurity risks associated with these partnerships. As part of the program, our IT governance, risk and compliance team conduct due diligence as a part of onboarding new vendors and maintain ongoing evaluations to ensure compliance with our security standards.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our CISO, who has over 39-years of industry experience, and his team, have relevant education and experience assessing and managing cybersecurity programs and cybersecurity risks across a mix of enterprises, including the retail industry.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
Our CISO and his team have also developed processes to oversee and identify material cybersecurity risks associated with our use of third-party service providers who access our information technology systems, which includes leveraging our vendor risk management program designed to assess and manage the cybersecurity risks associated with these partnerships. As part of the program, our IT governance, risk and compliance team conduct due diligence as a part of onboarding new vendors and maintain ongoing evaluations to ensure compliance with our security standards.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true