DOLLAR GENERAL CORP - (DG)

10-K Filing Date: March 25, 2024
ITEM 1C. CYBERSECURITY

We design, implement, and maintain a comprehensive information security program consisting of commercially reasonable administrative, organizational, and technical controls, practices, and safeguards which follow applicable laws, regulations, and industry best practices to protect against confidentiality, integrity, and availability threats to our information systems. Such controls, practices, and safeguards include, but are not limited to, published security policies, firewalls, intrusion prevention solutions, anti-malware solutions, data encryption, data loss prevention, security logging and monitoring, security configuration hardening, security patch/update management, remote access security, security risk management, vulnerability and threat management, security training and awareness, security controls testing, identity and access management, secure solutions development, and a comprehensive security incident response plan. Our Vice President and Chief Information Security Officer

21

(“CISO”), who has approximately 30 years of experience in the information technology field with approximately 25 years of full cybersecurity focus and approximately 20 years as a Certified Information Systems Security Professional (CISSP), has responsibility for assessing and managing our information security program and related risks, which includes information security incident prevention, detection, mitigation and remediation, and leading a department of information security professionals with relevant industry and professional experience. Our CISO reports directly to our Executive Vice President and Chief Information Officer (“CIO”), who has approximately 25 years of experience in the information technology field that includes direct interaction with or supervision of cybersecurity functions.

We also maintain a third-party security risk management program to identify, oversee, prioritize, assess, and mitigate third party risks; however, we rely on our third-party partners to implement effective information security programs commensurate with the risk associated with the nature of their business relationships to us and cannot ensure in all circumstances their efforts will be successful. We and our third-party partners have experienced threats to, and incidents involving, data and systems, including by perpetrators of attempted random or targeted malicious attacks; computer malware, ransomware, bots, or other destructive or disruptive hardware and/or software; and attempts to misappropriate our and our customers’ information and cause system failures and disruptions, although to date none have been material to our business. See “Item 1A. Risk Factors” for additional information regarding cybersecurity-related risks that could impact our business.

The Audit Committee of our Board of Directors oversees our cybersecurity risks through various means, including but not limited to its oversight of our enterprise risk management program. In connection with its oversight of this program, our Audit Committee discusses with management the process by which risk assessment and risk management is undertaken and our major financial and other risk exposures, including without limitation those relating to our information systems, information security, data privacy, business continuity, and third-party information security, and the steps management has taken to monitor and control such exposures. Our Audit Committee reviews enterprise risk evaluation results at least annually and high residual risk categories, along with their mitigation strategies, quarterly.

In addition to consideration as part of the enterprise risk management program, cybersecurity risk is further evaluated through various internal and external audits and assessments designed to validate the effectiveness of our controls for managing the security of our information assets, and management develops action plans to address select identified opportunities for improvement. Additionally, our Audit Committee quarterly reviews reports and metrics, including a dashboard, pertaining to cybersecurity risks and prevention, detection, mitigation and remediation efforts with our CIO and CISO to help our Audit Committee understand and evaluate current risks, monitor trends, and track our progress against specific metrics. Our Audit Committee also has the responsibility to review with management and our outside auditor any unauthorized access to information technology systems that could have a material effect on our financial statements. Further, our Audit Committee receives quarterly updates regarding our business continuity and IT disaster recovery plan, as well as cybersecurity incidents which occurred during the prior quarter.

Our Audit Committee also has undertaken cybersecurity education in recent years to assist members in overseeing related risks. Such activities included a cyber threat intelligence update focusing on the global impact of ransomware on the retail sector and trends in retail sector compromises; the state of cybersecurity regulation; an overview of methods to perform cyber risk quantification; an update on the evolving retail landscape’s impact on cyber risk to retail organizations; and an overview of Company-specific cyber-related risks considerations.

22