Chewy, Inc. - (CHWY)

10-K Filing Date: March 20, 2024
Item 1C. Cybersecurity
We have an enterprise-wide information security program designed to assess, identify, and manage the Company’s information security risks and identify, evaluate, respond to and resolve information security incidents. To protect our information systems from information security incidents, we use various processes and tools to identify, prevent, detect, escalate, investigate, resolve and recover from identified vulnerabilities and threats. These include, but are not limited to, reporting, monitoring and detection tools that are widely used in the industry, and internal solutions. We have an enterprise-wide Information Security Incident Response Plan (“IRP”), which describes the detailed processes and procedures that should be followed in the event of an information security incident. We conduct assessments based on the National Institute of Standards and Technology cybersecurity framework (the “NIST CSF”) to measure our progress under the maturity framework of NIST CSF and continue to identify opportunities for improvement in our information security program.






35




We continuously assess technology risks and threats and monitor our information systems for potential vulnerabilities based on industry trends and evolving threats. We use our IRP to identify, evaluate, respond to and resolve information security incidents. We conduct regular reviews of our information security program and also validate our information security program by conducting tabletop exercises, penetration and vulnerability testing, red team campaigns to identify potential vulnerabilities, simulations, and other exercises to evaluate the effectiveness of our information security program and improve our IRP. Our auditors perform independent audits on aspects of our information security program for assurance purposes. We occasionally engage third-party assessors to assess different aspects of our information security program. We conduct regular training for employees on different cybersecurity topics and best practices. We also conduct a risk-based analysis on third-party vendors that we engage to process personal data and confidential information for us and provide them with our information security requirements prior to their engagement.

We are occasionally subject to cybersecurity incidents and we use our IRP to respond to such incidents. Our systems are periodically the target of directed attacks intended to lead to interruptions and delays in our service and operations. We also occasionally experience the misuse or unauthorized disclosure of personal information, other data, confidential information or intellectual property. We occasionally experience account take overs by bad actors using the credentials of customers acquired from the dark web unrelated to any breaches in our systems. These incidents have not had a material impact on us to date, including our business strategy, financial condition, or results of operations. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, financial condition, or results of operations. For more information about the cybersecurity risks we face, see the risk factor titled “Our failure or the failure of third-party service providers to protect our websites, networks, and systems against cybersecurity incidents, or to otherwise protect our confidential information, could damage our reputation and brand and harm our business, financial condition, and results of operations” under Item 1A “Risk Factors” of this Annual Report on Form 10-K.

The Vice President of Security and Data Systems (the “CISO”) leads our information security organization and is responsible for managing our information security program. Our CISO has over 30 years of industry experience, including serving in similar roles leading cybersecurity programs at other public companies. Team members who support our information security program have relevant educational, industry, and professional experience. Our information security team provides regular reports to senior management and other relevant teams on various cybersecurity threats, assessments and findings.

Our enterprise risk assessment includes our key cybersecurity risks. The Board oversees our annual enterprise risk assessment, where we assess key risks within the company, including technology risks and cybersecurity threats. Our CISO provides quarterly updates to the Audit Committee of the Board, which oversees our cybersecurity risks and regularly reviews and discusses with management various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance; discussion on policies, guidelines, and processes used by management to assess and manage such matters; and the steps management has taken to monitor and control such matters.

36