DOLLAR TREE, INC. - (DLTR)
10-K Filing Date: March 20, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We understand the importance of cybersecurity in maintaining the confidentiality, integrity, and availability of our systems and data. Our business operations leverage information technology infrastructure and third-party vendors and systems which makes us susceptible to various cyber threats. We have implemented a comprehensive cybersecurity risk management program to mitigate these risks and safeguard our assets.
We have measures in place to prevent, detect, and manage material risks from unauthorized access to our electronic information systems. These include various controls, technologies, and processes that protect confidential, proprietary, business and personal information that we collect, process, store, and transmit as part of our business operation.
We also consider cybersecurity, along with other business risks, within our enterprise risk management framework. Our assessment, identification and management of cybersecurity and data privacy risks are reported as part of our regular enterprise risk assessments, security audits and risk management programs. In addition, we leverage recognized consulting firms to conduct application security and penetration testing assessments annually. We also require employees with access to information systems, including all corporate employees, to undertake cybersecurity training and compliance programs annually.
Our cybersecurity program utilizes the National Institute of Standards and Technology framework along with risk-based analysis and judgment, to choose the most effective security controls to address potential risks. We consider various factors such as likelihood and severity of risk, impact on our organization and others if a risk materializes, feasibility and cost of controls, and the effects of controls on our operations and others.
Because we rely on third-party providers and platforms for many of our computer and technology systems and support, we use a variety of processes and tools to address cybersecurity threats related to the use of third-party technology and services, including pre-acquisition diligence, imposition of contractual obligations, and performance monitoring. As a part of our monitoring, we regularly obtain System Organization and Control Reports (SOC Reports) for key third-party financial systems.
As part of our overall strategic initiatives, we have made significant investments in internal and external resources to support and enhance our technology infrastructure over the next several years. As part of this technology transformation, we plan to continue growing our information security team, enhance our cyber response plan and data privacy policies and evolve our procedures around third-party risk management.
No material cybersecurity incidents occurred in fiscal 2023, but future incidents cannot be predicted. Additionally, in “Item 1A. Risk Factors” under the heading “Cybersecurity and Technology Risks,” forward-looking cybersecurity threats that could have a material impact on our business are discussed. Those sections of Item 1A should be read in conjunction with this Item 1C.
Although we have operational safeguards in place, we still face significant risks from cybersecurity threats, as the number of cyberattacks targeting retailers and corporate networks grows, and the volume, intensity and sophistication of attempted attacks, intrusions, and threats from around the world increase daily. We (and third parties upon whom we rely) may be unable to implement security controls fully, continuously, and effectively as intended. As described above, we utilize a risk-based approach that focuses on proactively preventing security risks followed by prompt detection and containment of risks identified. Security controls, no matter how well designed or implemented, may only mitigate, and not fully eliminate risks. In addition, events, when detected by security tools or third parties, may not always be immediately understood or acted upon. If our technology systems, networks, or information are compromised by malicious software, ransomware, or other cyberattacks, we could lose critical data or confidential information of our customers, vendors or associates, experience disruptions in our ability to distribute and sell merchandise and manage inventories, incur substantial remediation costs and/or become subject to negative publicity, costly government actions or litigation.
Notwithstanding the deliberate approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured.
Governance
Our Audit Committee, which includes a member with cybersecurity experience, oversees our management of risks relating to information security and data privacy. At least semiannually, the Audit Committee is responsible for reviewing and discussing our risk exposures related to information security and data privacy with management. These management updates are designed to inform the Audit Committee of any potential risks relating to information security or data privacy and any relevant mitigation or remediation tactics being implemented. In addition, as part of our regular enterprise risk management assessments, cybersecurity risks are reported to and assessed by the Enterprise Risk Committee, comprised of senior leadership from key business functions.
22
To more effectively prevent, detect and respond to information security threats, we have a dedicated Chief Information Security Officer (“CISO”) whose team is responsible for our overall information security, cyber risk, and business continuity. The CISO brings over 25 years of extensive experience in information technology and information security and serves as the designated executive leader for cyber or data-related incident response activities. Our CISO’s experience includes leading cybersecurity programs for Fortune 100 companies.
In addition to the CISO, the Chief Information Officer and Chief Legal Officer are responsible for overseeing risks related to cybersecurity and data privacy. Our Chief Information Officer’s experience includes more than 25 years of leading all information technology strategies and operations and oversight of IT systems for various Fortune 100 companies, and our Legal Department has personnel specializing in data privacy and cybersecurity who assist our team in assessing and managing cybersecurity risks.
We have a Cybersecurity Incident Response Plan that is integrated into our crisis management program. The plan provides protocols for evaluating and responding to cybersecurity incidents, including incident disclosure and reporting, notification to senior management and relevant committees, and meeting external reporting obligations. The plan is reviewed and updated regularly by our CISO and Chief Legal Officer to ensure its continued effectiveness. We recently performed tabletop exercises where we performed walkthroughs of cyber incident situations to test our response plan. We plan to continue testing on a periodic basis going forward.