BEST BUY CO INC - (BBY)
10-K Filing Date: March 15, 2024
We rely heavily on information technology systems to operate and manage all key aspects of our business. We also process substantial volumes of confidential business information and sensitive consumer and employee personal information, which if impacted by cyber threats could result in financial and reputational harms and regulatory sanction. We have developed and implemented, and update on an ongoing basis, a risk-based information security program designed to identify, assess and manage material risks from cybersecurity threats.
Cybersecurity Risk Management and Strategy
Our information security program comprises administrative, technical and physical safeguards designed, under a risk-based approach, to reasonably mitigate cybersecurity risks to the confidentiality, integrity or availability of our information systems and information. These include safeguards designed to oversee service-provider relationships in a manner consistent with the risks presented by the engagement and use of the service provider.
The program deploys multiple layers of controls designed to identify, protect against, detect, respond to and recover from information security and cybersecurity incidents and our Cyber Security Incident Response Team, which is part of our Enterprise Information Protection (“EIP”) organization, plays a core role in detecting, mitigating and remediating cybersecurity incidents. Based on the nature and severity of the incident, our response is to be guided by documented incident response plans. These plans outline steps to be followed, functional areas to be engaged, internal escalations to be pursued (which may include, as appropriate, senior management, executive management and the Board) and stakeholders to be notified.
Third parties also play a role in our cybersecurity. We engage third parties for advice and support in the design and implementation of certain program elements and leverage third-party tools to help identify and mitigate cybersecurity risks. Certain specific, defined components of our technology environment are assessed by third-party auditors with a view to alignment with industry standards such as, for example, the Payment Card Industry Data Security Standards.
We also periodically retain outside expertise to conduct a maturity assessment of our program against industry standards and participants. Our program is informed by industry standards such as, for example, the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (“NIST CSF”), but this does not imply that we meet all technical standards, specifications or requirements under the NIST CSF or other sources.
We have combatted cybersecurity threats in the normal course of business, but prior cybersecurity incidents have not materially affected, and do not appear likely to materially affect, our operations, business strategy, results of operations or financial condition. However, our Enterprise Risk Management program has recognized that we face ongoing risks from cybersecurity threats that, if not successfully prevented or mitigated, could materially affect us, including our operations, business strategy, results of operations or financial condition. For additional information on this risk, see Item 1A, Risk Factors, of this Annual Report on Form 10-K.
Cybersecurity Governance
Our Board, with oversight by the Audit Committee, oversees management’s processes for identifying and mitigating cybersecurity risks. Executive management including our Chief Information Security Officer (“CISO”), who reports to our General Counsel & Chief Risk Officer, updates the Audit Committee on our cybersecurity posture no less frequently than quarterly and periodically update the full Board.
Our EIP organization, led by our CISO, is responsible for the design and implementation of our information security program. Our current CISO has been with the Company for more than eight years—serving as our CISO for nearly seven years—and has extensive cybersecurity experience through leadership and consulting roles. His current leadership team comprising seven individuals has over 130 years of combined cybersecurity experience. These and other EIP team members work closely with stakeholders across the Company to implement the program’s policies, standards and processes and help ensure awareness that securing customer information and honoring our privacy promises are core employee obligations, as highlighted in our Code of Ethics and reinforced through our Valuable Information Protection training program.