LOWES COMPANIES INC - (LOW)

10-K Filing Date: March 25, 2024
Item 1C - Cybersecurity

We maintain a robust cybersecurity program that we have designed with the goal of identifying, deterring, detecting, responding to, and managing potential cybersecurity risks and threats.

Risk Management and Strategy

Risk management is a central part of our cybersecurity program. We conduct regular risk assessments and monitor our information systems for potential vulnerabilities. We employ a risk quantification model to identify, measure, and prioritize cybersecurity and technology risks, and we implement corresponding security controls and safeguards based on model outputs.

In addition to cybersecurity risks being tracked, managed, and monitored directly by the information security group, cybersecurity risks are also integrated into, and are among the risks evaluated and considered by, our enterprise risk management program. The Company’s Chief Legal Officer provides centralized oversight of our enterprise risk management program, which is managed by our Chief Compliance Officer and the Office of Enterprise Risk Management in partnership with the Enterprise Risk Council (ERC). The ERC is comprised of senior Company leaders with broad enterprise experience, including our Chief Information Security Officer (CISO).

Processes and Procedures

We have adopted physical, technological, and administrative controls on cybersecurity. Our risk management processes include, among others, the following features:

We leverage the National Institute of Standards and Technology security frameworks as well as established internal security standards, industry practices, and applicable regulatory requirements. Our program is designed to comply with a range of applicable industry standards, such as the Payment Card Industry Data Security Standard.

We maintain cybersecurity insurance coverage that provides protection against potential losses arising from certain cybersecurity incidents.

We require that cybersecurity awareness and data privacy training, along with company-wide and tailored training programs, be provided to associates annually. We also regularly conduct phishing and social engineering simulations, and host events to increase awareness, including an annual cybersecurity awareness summit and monthly campaigns.
lowesgraphicimage01.jpg
16

s

We have a cybersecurity incident response plan in place which provides a framework for responding to cybersecurity incidents. Our information security team leverages technologies and vendors to monitor and respond to security threats via a dedicated security operations center. In the event of a security incident, a defined procedure outlines containment, response, and recovery actions that draw on resources and leadership across the Company, as needed.

A cross-functional team conducts periodic simulated exercises, and we perform regular vulnerability scanning and conduct vulnerability testing during the software development life cycle.

We collaborate with internal stakeholders and third-party assessors and consultants to conduct regular reviews, tests, and audits of our security program. This coordinated approach reviews security controls that safeguard our information assets, including payment information, through processes such as security control assessments and third-party penetration testing. Additionally, we utilize tabletop exercises, penetration and vulnerability testing, red team exercises, simulations, and other evaluations to improve our security measures and strategies.

We also participate in various cybersecurity and retail industry groups to remain apprised of emerging cybersecurity risks, defense, mitigation strategies, and governance best practices.

Third-Party Risk Management

Our cybersecurity risk management processes extend to the oversight and identification of threats associated with our use of third-party service providers. We have developed contracting processes and terms to gain commitments from certain vendors and third-party service providers to adhere to appropriate security practices and outline specific security requirements and expectations, including compliance with industry standards, applicable laws and regulations, and our internal security policies. We regularly evaluate and assess vendor risk levels based on a variety of factors, such as the nature of shared data, potential impact to business continuity, and vendors' security posture. Our processes extend beyond initial evaluations to include proactive monitoring and routine oversight.

Cybersecurity incidents and risks of which we are aware as of the date of this Form 10-K have not materially affected our business strategy, results of operations, and financial condition, although we face ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our business strategy, reputation, results of operations, or financial condition. See “Risk Factors” in Item 1A of this Annual Report on Form 10-K for more information on our cybersecurity-related risks.

Governance

Our Chief Digital and Information Officer (CDIO), our CISO, and senior members of our information security group are responsible for identifying, assessing, and managing risks from cybersecurity threats. Our CISO, who manages our cybersecurity program and receives information regarding cybersecurity incidents and threats from our information security group and through internal escalation procedures, reports to the CDIO, who reports directly to our Chairman, President, and Chief Executive Officer.

The CDIO has served in various roles in information technology for over 25 years, holds undergraduate and graduate degrees in electrical and electronics engineering and computer science, and brings significant insights into cybersecurity strategies. The CISO has served in various roles in information security for over 30 years, including serving as a CISO of four public companies. The senior members of the information security group who report to the CISO have extensive experience in technology and security roles from serving with several large public companies and possess cybersecurity certifications, including Certified Information Systems Security Professional, Certified Information Security Manager, and Certified Information Systems Auditor, among others.

Oversight responsibility over cybersecurity risk is shared by the Board and the Audit Committee, with the Audit Committee being primarily responsible for overseeing risks related to cybersecurity, data protection, and privacy matters. The Audit Committee regularly reviews metrics about cyber threat response preparedness, program maturity milestones, risk mitigation status, and the current and emerging threat landscape, in addition to the results of third-party reviews and assessments of our security controls. Our CDIO or CISO provide regular cybersecurity updates in the form of written reports and presentations to the Audit Committee at its quarterly meetings, which are also provided to the full Board. We also have protocols by which certain cybersecurity incidents are escalated and, where appropriate, reported to the Audit Committee in a timely manner.

17
lowesgraphicimage01.jpg

s