|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 28, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
CYBERSECURITY
Risk Management and Strategy
As part of our overall risk management system and processes, The ODP Corporation maintains a continuous process for assessing, identifying and managing material risks from cybersecurity threats including risks relating to disruption of business operations or financial reporting systems, intellectual property theft; fraud; extortion; harm to employees or customers; damage to relationships; violation of privacy laws and other litigation and legal risk; and reputational risk. Cybersecurity is a critical component of our Enterprise Risk Management (“ERM”) process and we have established a cybersecurity and information security framework to help maintain the confidentiality, integrity and access of our information assets and to ensure regulatory, contractual and operational compliance. This includes protection of customer and employee personally identifiable information (“PII”) and company confidential information.
We have a cybersecurity governance framework in place which is designed to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. We deploy a multifaceted, in-depth digital security defense program to address digital security risks and vulnerabilities, and to protect company assets. The program is led by our Chief Information Security Officer (“CISO”) and implemented by a team of trained cybersecurity professionals comprising associates and third parties that augment the team. Our cybersecurity program consists of controls designed to identify, protect against, detect, respond to and recover from information and cybersecurity incidents.
Our CISO oversees the Company’s approach to managing cybersecurity and digital risk and is supported by the Company’s C-suite, officers and other Company leaders and regularly engages with cross-functional teams including finance, compliance, legal, and internal audit at the Company. We have a cybersecurity and information security framework that includes risk assessment and mitigation through a threat intelligence-driven approach and application of controls. The framework is based on International Organization for Standardizations (“ISO”) 27001/27002 standards for general information technology controls. In addition, we utilize Center for Internet Security best practice standards, the National Institute of Standards and Technology Cyber Security Framework for measuring overall readiness to respond to cyber threats, and Sarbanes-Oxley for assessment of internal controls. We utilize policies, software, training programs and hardware solutions to protect and monitor our environment, including multifactor authentication, firewalls, intrusion detection and prevention systems, vulnerability and penetration testing and identity management systems. Our information security and privacy policies are informed by regulatory requirements and are reviewed periodically for compliance and alignment with current state and federal laws and regulations. We comply with applicable industry security standards, including the Payment Card Industry Data Security Standard (“PCI DSS”). As part of our cybersecurity and information security program, we regularly evaluate and audit (with internal audit) our controls and vulnerabilities. Risks are identified from various sources and we monitor our infrastructure and applications to identify evolving cyber threats, and attempt to mitigate those risks. We maintain a security operations center to monitor our Security Information and Event Management system. Additionally, we maintain a Cybersecurity Incident Response Plan, which is reviewed regularly, and provides a framework for handling and escalating cybersecurity incidents based on the severity of the incident and facilitates cross-functional coordination across the Company.
We maintain a comprehensive global training and awareness program, provide annual security awareness education and training for employees and consultants, conduct internal “phishing” testing, and publish periodic cybersecurity newsletters providing relevant information on security topics and cybersecurity policies to help our associates and contractors extend our security mission throughout their day-to-day responsibilities and to help them make sound computing decisions. We also periodically conduct simulated cybersecurity incident exercises administered by a third-party cybersecurity consultant. Additionally, we carry industry-standard cybersecurity insurance, which we believe to be commensurate with our size and the nature of our operations, and regularly review our policy and levels of coverage based on current risks.
In connection with our cybersecurity risk management processes, we incorporate internal and external expertise. For example, our CISO works in partnership with our internal audit department to review cybersecurity controls in the context of financial reporting as part of the overall internal controls process. We utilize third-party security companies to test for cyber vulnerabilities, to perform penetration tests periodically and to test incident response preparedness. Additionally, we conduct regular information technology reviews based on the SOC 2 audit framework, periodic cybersecurity “tabletop” exercises with the C-suite, the Board, and Company associates and Board cybersecurity education, all of which are administered by independent third parties. We engage experts to advise us regarding cybersecurity issues such as regulatory compliance, materiality determinations, disclosure obligations and best practices for oversight, as needed. We also collaborate with our peers and partners in the areas of threat intelligence and vulnerability management.
Cybersecurity risks related to third parties are managed as part of our third-party risk management program to assess risk from material vendors and suppliers. Additionally, we have developed information security processes applicable to third parties which are incorporated into our standard form contracts. Cybersecurity measures are not completely infallible. Our systems have been, although not to a material extent, and may continue to be compromised as a result of phishing scams, third-party security breaches, business
email compromises, cyberattacks, or other irregularity, resulting in persons obtaining unauthorized access to our data or systems. As previously disclosed, our business strategy, results of operations and financial condition were negatively impacted by a malware incident that affected CompuCom, our previously-owned subsidiary, in March 2021. We sold our CompuCom Division through a single disposal group on December 31, 2021, and the financial impact of the malware incident was reflected within discontinued operations. For additional information, see “Risk Factors” within Other Key Information in this Annual Report.
Governance
Management
The cybersecurity risk management processes described above are managed by our CISO and a team of information security professionals. Our CISO has 10 years of experience in the role at the Company and holds a Certified Information Security Manager (“CISM”) certification. In addition, our CISO has 10+ years of experience managing secure applications that are PCI DSS compliant and protect PII via application of information security policies/standards and risk management principles, along with 10+ years producing reduced risk, SOX, PCI, CCPA and Internal Audit compliant systems through application of control frameworks and governance structures.
Our CISO reports to the Chief Technology Officer (“CTO”) who, in partnership with the Chief Information Officer (“CIO”), is responsible for informing executive leadership regarding cybersecurity. The CISO also reports to the independent Audit Committee quarterly, as described below. The CISO leads a team of trained internal cybersecurity professionals addressing digital security risks, vulnerabilities and protecting company assets.
Board of Directors
The independent Audit Committee of the Board of Directors is primarily responsible for the oversight of risks from cybersecurity and data privacy and is responsible for assessing the Company’s business risk management process and policies pursuant to the committee charter. To fulfill this responsibility, the Audit Committee receives quarterly reports about cybersecurity risks from our CISO. These reports include information regarding the implementation and administration of our cybersecurity processes, cybersecurity governance processes, status of projects relating to cybersecurity, cybersecurity matters relating to any particular products or services, summaries of any material cybersecurity threats or incidents and responses thereto, regulatory updates, updates on cybersecurity trends and the results of any assessments performed by internal stakeholders or third-party advisors.
Additionally, the Board of Directors retains responsibility for the oversight of our overall risk management systems and processes. The Board reviews the results of the annual Enterprise Risk Management assessment and the mitigation of the risks identified, which currently includes the topic of cybersecurity. The Company’s Risk Profile (derived from ERM assessment) is monitored throughout the year, and the Board and/or Audit Committee is updated, as necessary. Additionally, our CTO and CIO provide technology updates to the full Board regularly, including governance and risk considerations of our information security program.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|our business strategy, results of operations and financial condition were negatively impacted by a malware incident that affected CompuCom, our previously-owned subsidiary, in March 2021. We sold our CompuCom Division through a single disposal group on December 31, 2021, and the financial impact of the malware incident was reflected within discontinued operations.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
Management
The cybersecurity risk management processes described above are managed by our CISO and a team of information security professionals. Our CISO has 10 years of experience in the role at the Company and holds a Certified Information Security Manager (“CISM”) certification. In addition, our CISO has 10+ years of experience managing secure applications that are PCI DSS compliant and protect PII via application of information security policies/standards and risk management principles, along with 10+ years producing reduced risk, SOX, PCI, CCPA and Internal Audit compliant systems through application of control frameworks and governance structures.
Our CISO reports to the Chief Technology Officer (“CTO”) who, in partnership with the Chief Information Officer (“CIO”), is responsible for informing executive leadership regarding cybersecurity. The CISO also reports to the independent Audit Committee quarterly, as described below. The CISO leads a team of trained internal cybersecurity professionals addressing digital security risks, vulnerabilities and protecting company assets.
Board of Directors
The independent Audit Committee of the Board of Directors is primarily responsible for the oversight of risks from cybersecurity and data privacy and is responsible for assessing the Company’s business risk management process and policies pursuant to the committee charter. To fulfill this responsibility, the Audit Committee receives quarterly reports about cybersecurity risks from our CISO. These reports include information regarding the implementation and administration of our cybersecurity processes, cybersecurity governance processes, status of projects relating to cybersecurity, cybersecurity matters relating to any particular products or services, summaries of any material cybersecurity threats or incidents and responses thereto, regulatory updates, updates on cybersecurity trends and the results of any assessments performed by internal stakeholders or third-party advisors.
Additionally, the Board of Directors retains responsibility for the oversight of our overall risk management systems and processes. The Board reviews the results of the annual Enterprise Risk Management assessment and the mitigation of the risks identified, which currently includes the topic of cybersecurity. The Company’s Risk Profile (derived from ERM assessment) is monitored throughout the year, and the Board and/or Audit Committee is updated, as necessary. Additionally, our CTO and CIO provide technology updates to the full Board regularly, including governance and risk considerations of our information security program.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Additionally, the Board of Directors retains responsibility for the oversight of our overall risk management systems and processes. The Board reviews the results of the annual Enterprise Risk Management assessment and the mitigation of the risks identified, which currently includes the topic of cybersecurity.
|Cybersecurity Risk Role of Management [Text Block]
|
The cybersecurity risk management processes described above are managed by our CISO and a team of information security professionals. Our CISO has 10 years of experience in the role at the Company and holds a Certified Information Security Manager (“CISM”) certification. In addition, our CISO has 10+ years of experience managing secure applications that are PCI DSS compliant and protect PII via application of information security policies/standards and risk management principles, along with 10+ years producing reduced risk, SOX, PCI, CCPA and Internal Audit compliant systems through application of control frameworks and governance structures.
Our CISO reports to the Chief Technology Officer (“CTO”) who, in partnership with the Chief Information Officer (“CIO”), is responsible for informing executive leadership regarding cybersecurity. The CISO also reports to the independent Audit Committee quarterly, as described below. The CISO leads a team of trained internal cybersecurity professionals addressing digital security risks, vulnerabilities and protecting company assets.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our CISO has 10 years of experience in the role at the Company and holds a Certified Information Security Manager (“CISM”) certification.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|In addition, our CISO has 10+ years of experience managing secure applications that are PCI DSS compliant and protect PII via application of information security policies/standards and risk management principles, along with 10+ years producing reduced risk, SOX, PCI, CCPA and Internal Audit compliant systems through application of control frameworks and governance structures.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our CISO reports to the Chief Technology Officer (“CTO”) who, in partnership with the Chief Information Officer (“CIO”), is responsible for informing executive leadership regarding cybersecurity. The CISO also reports to the independent Audit Committee quarterly, as described below. The CISO leads a team of trained internal cybersecurity professionals addressing digital security risks, vulnerabilities and protecting company assets.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef