|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Feb. 01, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cybersecurity
Risk Management and Strategy
We recognize the critical importance of maintaining the trust and confidence of our customers and employees. Consequently, we maintain a comprehensive security incident response plan ("SIRP") and we assess, identify, and manage material risks associated with cybersecurity threats. Our SIRP includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents.
We have integrated cybersecurity risk management into our broader risk management framework through various mechanisms, including (i) our updates to the Cyber Committee, which was created by the Board in 2016 and meets at least quarterly, (ii) our annual enterprise risk management update to the Board, and (iii) our information technology and security related internal controls, including vulnerability management programs.
We train employees to understand their role in attempting to protect the Company from cybersecurity attacks. Our information security training program for employees includes acknowledgement of our information security policies, regular internal communications, and testing to measure the effectiveness of our information security program. For example, we conduct regular phishing awareness campaigns designed to emulate current threats and provide immediate feedback and, as necessary, additional training or remedial action.
In addition, we engage third parties to assist in assessing, identifying, and remediating material risks from cybersecurity threats. Our key cybersecurity controls are regularly tested by third-party service providers, which we retain to help identify vulnerabilities in our systems and to help maintain compliance to standards and regulatory requirements. Other third-party service providers are enlisted by the Company for security operations center services to augment our teams’ monitoring capabilities and to assist with our investigation and response to alerts on emerging and ongoing threats.
Further, our cybersecurity team continuously evaluates and addresses cybersecurity risks in alignment with our business objectives and operational needs. We use various security tools and processes to help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner, including, but not limited to, risk assessment network security controls, detection and response tools and a vulnerability management program.
The complexity and evolving nature of cybersecurity threats requires that we engage with a range of external experts, including cybersecurity assessors and consultants, in evaluating and testing our risk management systems. This enables us to leverage specialized knowledge and insights to be confident that our cybersecurity strategies and processes are consistent with industry best practices. Our collaboration with these third parties includes regular threat assessments and consultation on security enhancements.
In order to mitigate data or security incidents that may originate from third-party vendors or suppliers, we conduct both privacy and security assessments to properly identify, prioritize, assess and remediate any third-party risks, and we require security and privacy addenda to our contracts where applicable. We currently maintain a cyber insurance policy that provides coverage for security breaches; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyber-attacks, or other related breaches.
The nature of our business exposes us to cybersecurity threats and attacks that can lead to the unauthorized acquisition or access, compromise, loss, misuse or theft of our data, including personal information, confidential information or intellectual property. To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including our business strategy, results of operations, or financial condition. Also see Part I, Item 1A, Risk Factors, in this Annual Report for a discussion of cybersecurity risks.
Governance
Our Board is ultimately responsible for the risk oversight of the Company, including cybersecurity and privacy risks. Our Board has delegated day-to-day responsibility for oversight of cybersecurity risks to the Cyber Committee. The Cyber Committee is composed of members of our Board who have diverse expertise, including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively.
Pursuant to its charter, our Cyber Committee:
•
assists our Board in fulfilling its risk oversight responsibilities with respect to the protection of the Company’s assets, including confidential, proprietary and personal information, reputation and goodwill in all forms;
•
supervises and monitors the soundness of our cybersecurity and data protection strategies and practices;
•
oversees and monitors our material compliance with applicable information security, privacy and data protection laws, industry standards and contractual requirements;
•
promotes and furthers the integrity, adoption and coordination of our data security processes across the Company to help ensure that data and system security is a Company-wide business objective and priority; and
•
oversees our cybersecurity and data protection performance and the overall implementation of our cybersecurity and data protection strategy.
At the management level, our Chief Technology Officer and our Senior Vice President, Technology and Innovation, as well as our technology staff, are primarily responsible for identifying, assessing, monitoring and managing our cybersecurity. Our Chief Technology Officer reports directly to our President and Chief Executive Officer and meets at least quarterly with the Cyber Committee. Our current Chief Technology Officer has over 35 years of industry experience, including service as a Chief Technology Officer/Chief Information Officer for over seven years and extensive experience in developing and leading technology risk management programs. Our Senior Vice President, Technology and Innovation reports directly to the Chief Technology Officer and has over 32 years of industry experience with the Company. He has led the Company’s cybersecurity team and overseen PCI certification for the past seven years, ensuring compliance with industry standards and strengthening the organization's security posture. Additionally, our technology staff holds multiple industry-standard security certifications, including Cisco Certified Network Associate, PCI Internal Security Assessor, and Certified Ethical Hacker.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We have integrated cybersecurity risk management into our broader risk management framework through various mechanisms, including (i) our updates to the Cyber Committee, which was created by the Board in 2016 and meets at least quarterly, (ii) our annual enterprise risk management update to the Board, and (iii) our information technology and security related internal controls, including vulnerability management programs.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board is ultimately responsible for the risk oversight of the Company, including cybersecurity and privacy risks. Our Board has delegated day-to-day responsibility for oversight of cybersecurity risks to the Cyber Committee. The Cyber Committee is composed of members of our Board who have diverse expertise, including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively.
Pursuant to its charter, our Cyber Committee:
•
assists our Board in fulfilling its risk oversight responsibilities with respect to the protection of the Company’s assets, including confidential, proprietary and personal information, reputation and goodwill in all forms;
•
supervises and monitors the soundness of our cybersecurity and data protection strategies and practices;
•
oversees and monitors our material compliance with applicable information security, privacy and data protection laws, industry standards and contractual requirements;
•
promotes and furthers the integrity, adoption and coordination of our data security processes across the Company to help ensure that data and system security is a Company-wide business objective and priority; and
•
oversees our cybersecurity and data protection performance and the overall implementation of our cybersecurity and data protection strategy.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board has delegated day-to-day responsibility for oversight of cybersecurity risks to the Cyber Committee. The Cyber Committee is composed of members of our Board who have diverse expertise, including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
•
assists our Board in fulfilling its risk oversight responsibilities with respect to the protection of the Company’s assets, including confidential, proprietary and personal information, reputation and goodwill in all forms;
•
supervises and monitors the soundness of our cybersecurity and data protection strategies and practices;
•
oversees and monitors our material compliance with applicable information security, privacy and data protection laws, industry standards and contractual requirements;
•
promotes and furthers the integrity, adoption and coordination of our data security processes across the Company to help ensure that data and system security is a Company-wide business objective and priority; and
•
oversees our cybersecurity and data protection performance and the overall implementation of our cybersecurity and data protection strategy.
|Cybersecurity Risk Role of Management [Text Block]
|
At the management level, our Chief Technology Officer and our Senior Vice President, Technology and Innovation, as well as our technology staff, are primarily responsible for identifying, assessing, monitoring and managing our cybersecurity. Our Chief Technology Officer reports directly to our President and Chief Executive Officer and meets at least quarterly with the Cyber Committee. Our current Chief Technology Officer has over 35 years of industry experience, including service as a Chief Technology Officer/Chief Information Officer for over seven years and extensive experience in developing and leading technology risk management programs. Our Senior Vice President, Technology and Innovation reports directly to the Chief Technology Officer and has over 32 years of industry experience with the Company. He has led the Company’s cybersecurity team and overseen PCI certification for the past seven years, ensuring compliance with industry standards and strengthening the organization's security posture. Additionally, our technology staff holds multiple industry-standard security certifications, including Cisco Certified Network Associate, PCI Internal Security Assessor, and Certified Ethical Hacker.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|At the management level, our Chief Technology Officer and our Senior Vice President, Technology and Innovation, as well as our technology staff, are primarily responsible for identifying, assessing, monitoring and managing our cybersecurity. Our Chief Technology Officer reports directly to our President and Chief Executive Officer and meets at least quarterly with the Cyber Committee. Our current Chief Technology Officer has over 35 years of industry experience, including service as a Chief Technology Officer/Chief Information Officer for over seven years and extensive experience in developing and leading technology risk management programs. Our Senior Vice President, Technology and Innovation reports directly to the Chief Technology Officer and has over 32 years of industry experience with the Company. He has led the Company’s cybersecurity team and overseen PCI certification for the past seven years, ensuring compliance with industry standards and strengthening the organization's security posture. Additionally, our technology staff holds multiple industry-standard security certifications, including Cisco Certified Network Associate, PCI Internal Security Assessor, and Certified Ethical
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our current Chief Technology Officer has over 35 years of industry experience, including service as a Chief Technology Officer/Chief Information Officer for over seven years and extensive experience in developing and leading technology risk management programs. Our Senior Vice President, Technology and Innovation reports directly to the Chief Technology Officer and has over 32 years of industry experience with the Company. He has led the Company’s cybersecurity team and overseen PCI certification for the past seven years, ensuring compliance with industry standards and strengthening the organization's security posture. Additionally, our technology staff holds multiple industry-standard security certifications, including Cisco Certified Network Associate, PCI Internal Security Assessor, and Certified Ethical Hacker.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|At the management level, our Chief Technology Officer and our Senior Vice President, Technology and Innovation, as well as our technology staff, are primarily responsible for identifying, assessing, monitoring and managing our cybersecurity. Our Chief Technology Officer reports directly to our President and Chief Executive Officer and meets at least quarterly with the Cyber Committee. Our current Chief Technology Officer has over 35 years of industry experience, including service as a Chief Technology Officer/Chief Information Officer for over seven years and extensive experience in developing and leading technology risk management programs. Our Senior Vice President, Technology and Innovation reports directly to the Chief Technology Officer and has over 32 years of industry experience with the Company. He has led the Company’s cybersecurity team and overseen PCI certification for the past seven years, ensuring compliance with industry standards and strengthening the organization's security posture. Additionally, our technology staff holds multiple industry-standard security certifications, including Cisco Certified Network Associate, PCI Internal Security Assessor, and Certified Ethical
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef