DICK'S SPORTING GOODS, INC. - (DKS)
10-K Filing Date: March 28, 2024
ITEM 1C. CYBERSECURITY
Risk Management/Strategy
The protection of our data, including athlete and teammate data, is critical to the Company’s strategy of being a trusted advisor throughout the athlete and teammate experience. Cybersecurity is integrated into the Company’s Enterprise Risk Management framework and is overseen by management and the Audit Committee.
21
The Company’s Cybersecurity team, led by the Company’s Chief Information Security Officer (“CISO”), works in close partnership with multiple internal constituencies to monitor and focus on current and emerging data security matters across the Company and with third parties while implementing and enabling industry-accepted cybersecurity risk management and compliance frameworks and programming, including the NIST Cybersecurity Framework. Internal and third-party risks are reviewed, monitored, and managed by the Company's Cybersecurity and Privacy teams, audited by an Internal Audit team and various external parties. The Company regularly engages third-party experts to assess the effectiveness of its cybersecurity programs. Additionally, the Company continually invests in skilled personnel; recurring training, processes, and procedures; insurance coverages; and numerous technologies to keep pace with current threats; trends; and an ever-evolving legal, regulatory, compliance, and risk landscape with respect to cybersecurity.
The Company has implemented a Cybersecurity Incident Response Plan (the “IR Plan”) and framework to appropriately detect, contain and respond to cybersecurity incidents. The IR Plan identifies protocols for incident classification, the use of third-party service providers where applicable, processes for notification and internal escalation of information to senior management and the Audit Committee, and processes for materiality review. The IR Plan is reviewed and updated, as necessary, under the leadership of the Company’s CISO. Additionally, the Company maintains processes to assess the risks associated with third parties that store, transmit, or process sensitive Company data.
While we have no knowledge of any material data security breaches to date, any compromise of our data security could result in a violation of applicable privacy and other laws or standards, significant legal and financial exposure beyond the scope or limits of our insurance coverage, interruption of our operations, increased operating costs associated with remediation, equipment acquisitions or disposal, added personnel, and a loss of confidence in our security measures, which could harm our business, athlete experience, reputation or investor confidence. See Item 1A. “Risk Factors” for more information on the Company’s cybersecurity-related risks.
Governance
The Audit Committee provides oversight of our cybersecurity risk management, as the security of athlete and teammate data continue to be Company-wide priorities. Our cybersecurity risk management is led by our CISO, who has more than 24 years of experience leading cybersecurity capabilities and management of cybersecurity risk. The CISO reports to the Company’s Chief Technology Officer, who reports directly to the Company’s Chief Executive Officer. The CISO provides quarterly (or more often, if necessary) updates to the Audit Committee and periodic updates to the full Board, regarding existing and new cybersecurity risks, including how management is mitigating those risks. The CISO and the broader cybersecurity team is responsible for detecting, containing, and responding to cybersecurity incidents as documented within the IR Plan.