Macy's, Inc. - (M)
10-K Filing Date: March 22, 2024
Item 1C. Cybersecurity
Macy's, Inc. is committed to protecting information that is valuable to our customers and critical to business operations from unauthorized access and disclosure.
Risk Management and Strategy
Macy's, Inc. operates a security operations program that employs a defense-in-depth strategy to provide layers of safeguards against cybersecurity threats. We apply a hybrid security framework model using the National Institute of Standards and Technologies (NIST), International Organization for Standardization (ISO) 27001, Control Objectives for Information and Related Technologies (COBIT) and Payment Card Industry Data Security Standard (PCI DSS) frameworks as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
We conduct ongoing risk assessments, as well as internal and external vulnerability scanning and penetration testing of select systems and platforms. We work with our cloud platform providers to implement a consistent security and control environment through a combination of internal, front-end and additional controls, such as access, firewall and authentication controls.
We undertake other activities to manage risks from cybersecurity threats, including: managing access to Company data; use of encryption; procedures to manage information security incidents, both actual and suspected; establishing security standards and procedures for day-to-day operations to promote optimal system performance and maintain the integrity of operational systems; implementing detection, prevention and recovery controls to protect information technology assets; backup procedures to prevent the loss of critical data; and restrictions on software installations, among other practices.
We have an enterprise risk management program that identifies and prioritizes enterprise risks. At committee and Board meetings periodically throughout the year, management discusses the risk exposures identified as being most significant to the Company and the related actions that management may take to monitor such exposures. The program utilizes a network of functional experts with managerial responsibility for various aspects of enterprise risk management. Our oversight of risks from cybersecurity threats have been implemented into our enterprise risk management program.
We have established data security breach preparedness and response plans that are tested and practiced regularly and address a range of scenarios that include data breaches and ransomware attacks. We are subject to regular information technology and security audits by internal audit staff.
Our policy is to vet and train colleagues and relevant contractors and to protect Company data. A pre-employment screening process is conducted for candidates, including contractors and third parties, with background verification checks on some candidates for employment. Colleagues, including relevant contractors, must receive appropriate security training and be made aware of organizational policies and procedures relevant for their job function.
In the event we experience an actual or threatened cybersecurity incident, our Security team will consult with a third-party security firm when appropriate, perform a root cause analysis and determine both how to address the threat and whether we could take additional steps to improve our security posture. In this regard prior cybersecurity incidents have informed changes to our processes to minimize vulnerabilities. As of the filing of this Annual Report on Form 10-K, we are not aware of any cybersecurity incidents that have occurred that have materially affected, or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, if as a result of any future attacks our information technology systems are significantly damaged, cease to function properly or are subject to a significant cybersecurity breach, we may suffer an interruption in our ability to manage and operate the business, and our business strategy, results of operations or financial condition could be adversely affected. For additional information about risks
18
related to actual or threatened cybersecurity incidents, see “Information Security, Cybersecurity, Privacy and Data Management Risks” in the “Risk Factors” section of this Annual Report on Form 10-K.
Governance
The Audit Committee of our Board of Directors is responsible for addressing policies with respect to the Company's risk assessment and risk management, including risks related to data privacy, computerized information controls and cybersecurity, and to consider any recommendations for improvement of such controls. The chairperson of the Audit Committee updates the full Board of Directors on these discussions.
The Audit Committee, and the full Board of Directors when appropriate, receive regular updates from management on IT security, internal and external security reviews, data protection, risk assessments, breach preparedness, systems disruption risk, threat assessments, response plans and consumer privacy compliance.
The Macy's, Inc. Security team is responsible for assessing and managing material risks from cybersecurity threats, including the prevention, mitigation, detection and remediation of cybersecurity incidents. The Macy's, Inc. Security team is comprised of security professionals with diverse backgrounds, including former law enforcement, government and military.
Users with access to Company data and information technology assets are required to promptly report known or suspected security incidents. Our incident response process escalates reporting of cybersecurity incidents to senior management and disclosure controls and procedures are in place to review impact on the Company.
Our Chief Information Security Officer (CISO) leads our data protection programs. Our CISO is head of information security, privacy, IT risk, identity and access management and has 33 years with the Company in various roles of increasing responsibilities including Audit Assurance, Computer Operations, Networking and System platforms. The CISO provides cybersecurity updates at least three times per year to the Audit Committee and an annual review with the full Board of Directors.