Ulta Beauty, Inc. - (ULTA)

10-K Filing Date: March 26, 2024
Item 1C. Cybersecurity

We depend on a variety of information systems and technologies to maintain and improve our competitive position and to manage the operations of our business, including supply chain, merchandising, point of sale, e-commerce, marketing, finance, accounting, and human resources. Our core business systems consist mostly of purchased software programs that integrate together with our internally developed software solutions across a company-wide network that connects all corporate users, stores, and our distribution center infrastructure.

We manage data security and privacy at the highest levels. The Company’s Board of Directors oversees an enterprise-wide approach to risk management (ERM), designed to support the achievement of organizational objectives, including strategic objectives, to improve long-term organizational performance and enhance stockholder value. Management is responsible for the Company’s day-to-day risk management activities and processes, and our Board’s role is to engage in informed oversight of, and provide guidance with respect to, such risk management activities and processes. The Company’s cybersecurity policies, standards, and practices are fully integrated into the Company’s ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology, the

27

International Organization for Standardization and other applicable industry standards. In general, the Company seeks to address cybersecurity risks through a comprehensive, proactive cross-functional approach that is focused on preserving the confidentiality, security, and availability of the information that the Company collects and stores by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents if they occur.

Risk Management and Strategy

As one of the critical elements of the Company’s overall ERM approach, the Company’s cybersecurity program is focused on the following key areas:

Collaborative Approach. The Company has implemented a comprehensive, cross-functional approach to identifying, preventing, and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt identification and escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.

Technical Safeguards. The Company’s Security Operations Center, led by our Vice President IT Risk Management (Chief Information Security Officer), constantly and proactively monitors our network and application landscape for threats and anomalies. The Security Operations Center deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.

Incident Response Plan. The Company has established and maintains a comprehensive incident response plan that addresses the Company’s response to a cybersecurity incident.

Third-Party Risk Management. The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers, and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.

Training. All Ulta Beauty associates have a role as stewards of Company data, and we educate them on how to keep data safe. As part of the Company’s annual security awareness training and regular training around phishing, we train associates on how to keep devices and data safe in public places; how to avoid security threats and phishing scams; how to maintain a secure workplace; and everyday practices that help maintain the security of corporate digital devices, data and systems.

The Company engages in the periodic assessment and testing of the Company’s policies, standards, processes, and practices that are designed to address cybersecurity threats and incidents. We assess ourselves against the National Institute of Standards and Technology Cybersecurity Framework, Payment Card Industry Data Security Standard and management’s defined technology controls to support internal controls over financial reporting. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits, and independent reviews of our information security control environment and operating effectiveness, including network penetration assessments. The results of such assessments, audits, and reviews are reported to the Audit Committee of the Board and the Board of Directors, and the Company adjusts its cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, audits, and reviews.

In the last three fiscal years, the Company has not experienced any material cybersecurity incidents, and expenses incurred from cybersecurity incidents were immaterial. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are not reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. Also see “Information Security, Cybersecurity, Data Privacy, Regulatory and Legal Risks” included as part of Item 1A. Risk Factors of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein.

28

Governance

The Company’s Board of Directors is actively engaged in oversight of cybersecurity, and it is part of the responsibilities of our Audit Committee. The Company’s Chief Technology and Information Officer (CTIO) and Chief Executive Officer keep the Board informed on cybersecurity and privacy matters throughout the year, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security considerations arising with respect to the Company’s peers and third parties. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.

The Company’s cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our CTIO and our Vice President IT Risk Management. The Company’s CTIO works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response plans. To facilitate the success of the Company’s cybersecurity risk management program, we have a unified and centrally coordinated team, led by our Vice President IT Risk Management, that is responsible for implementing and maintaining centralized cybersecurity and data protection practices in close coordination with senior leadership and other teams across Ulta Beauty. Reporting to our Vice President IT Risk Management are a number of trained cybersecurity professionals. In addition to our extensive in-house cybersecurity capabilities, at times we also engage consultants, auditors, or other third parties to assist with assessing, identifying, and managing cybersecurity risks.

The Company’s CTIO leads the core elements of Ulta Beauty’s IT and Digital functions, including IT infrastructure, systems and security, digital experience and operations, and consumer technology. He has served in various roles in information technology and information security for over 30 years, including serving as the Global Chief Technology Officer of a large public company prior to joining the Company. The Vice President IT Risk Management leads our information risk management organization responsible for overseeing the Company’s information security program. She has over 25 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies.

29