HOME DEPOT, INC. - (HD)

10-K Filing Date: March 13, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. We have implemented cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such risks. Our cybersecurity program prioritizes threat mitigation, while focusing on maintaining the integrity and resilience of our systems. We leverage the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework as guidelines in the development of our cybersecurity program. We also adhere to applicable Payment Card Industry Data Security Standards. The cybersecurity risk management process and related governance processes are integrated into our broader enterprise risk management framework, which is designed to appropriately identify, prioritize, manage, and oversee risks.
Overseeing our cybersecurity efforts on a day-to-day basis is our cybersecurity team, led by our Chief Information Security Officer (“CISO”). Our cybersecurity team, in partnership with third parties, designs and implements our data security and cybersecurity programs, risk assessments, monitoring procedures, and training programs for our associates. We continue to make investments to enhance our ability to identify, protect from and detect security risks within our environment.
Monitoring and Mitigation. We maintain a range of tools and services to aid in and inform our monitoring and mitigation of cyber risks. Throughout the year, internal teams conduct targeted audits and penetration tests. We engage third parties to independently evaluate our cybersecurity maturity on an annual basis and perform a risk assessment, as well as to provide expertise as needed on various cybersecurity programs and issues. We maintain a security operations center that is staffed around the clock to detect, mitigate, and respond to cyber threats. In the event we identify a cybersecurity incident, we have defined procedures to respond to and recover from such incident as quickly as possible. Our policies and procedures are reviewed periodically to ensure they remain aligned with current regulatory requirements and the current threat landscape. We also have established classification and retention policies focused on limiting the risk of unauthorized exposure of customer, associate, and business data. We maintain cybersecurity insurance to help provide protection against losses arising from significant security incidents.
The Company has an Incident Response Team (“IRT”), a cross-functional group with the expertise, authority and resources to act quickly, efficiently and appropriately to investigate, coordinate the response to, remediate, and communicate regarding a cybersecurity incident. The IRT uses a detailed incident response plan that outlines and coordinates the actions we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess the severity of, escalate, contain, investigate, and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. In addition, our IRT engages in tabletop exercises at least annually to simulate a response to a cybersecurity incident and uses the findings to improve our processes, plans and technologies.
Training. We provide data security and privacy awareness and training to all associates upon hire and on an annual basis, with additional customized, role-based training provided to targeted internal audiences. In addition, we conduct periodic awareness campaigns and regular phishing email simulation tests to reinforce our new-hire and annual training and promote ongoing awareness of risks.
Vendor Security. We have a vendor risk management program that works to classify service provider or business partner risk based on several factors, including but not limited to data type accessed and/or retained. Using a risk-based approach, we perform diligence and security risk assessments for certain vendors and service providers and include appropriate obligations in our contractual arrangements.
Cybersecurity Risks. We have not experienced any material cybersecurity incidents in the past fiscal year. We face risks from cybersecurity threats that, if realized, may materially affect our business strategy, results of operations or financial condition. Despite our efforts, we cannot provide full assurance that our cybersecurity risk management processes will be fully implemented, complied with or effective in preventing or mitigating future cybersecurity risks. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or, if realized, are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, in Part I, Item 1A. “Risk Factors”.
Fiscal 2023 Form 10-K
22
thdpms5prcntrulemediuma21 (1).jpg

Table of Contents
Governance
Our efforts to create a secure digital environment start with the governance and oversight of our data security and privacy policies and strategy. At the Board level, cybersecurity is overseen by the full Board and by the Board’s Audit Committee, which has primary responsibility for overseeing cybersecurity and privacy risks. At least quarterly, the Board and/or the Audit Committee receives reports on data protection and cybersecurity matters from senior information technology (“IT”) leaders, including our Chief Information Officer (“CIO”) and CISO, as well as the Chair of our Data Security and Privacy Governance Committee (discussed below). In addition, at least annually, our full Board holds a meeting dedicated to cybersecurity topics. Periodically, our Board receives presentations on cybersecurity matters from third-party cybersecurity experts.
Our CISO, who reports to our CIO, joined the Company in 2021 after working with the Company as a third-party consultant since 2019. During a nearly two-decade tenure at a leading professional services firm, he worked with clients on managing information security, developing cybersecurity strategy, and implementing effective information and cybersecurity programs and initiatives addressing emerging cybersecurity threats. Our CISO has significant prior cybersecurity experience, including experience protecting company, customer and associate data across a diverse set of industries. He holds a Bachelor of Science degree in Information Systems and has achieved several relevant certifications, including Certified Information Security Manager, Certified Information Systems Security Professional, and Certified Information Privacy Professional. Our CISO leads a team of over 500 associates focused on cybersecurity.
We have three management-level committees that support our cybersecurity, privacy and data governance efforts. They are led by our Data Security and Privacy Governance Committee, which provides management-level governance over cybersecurity matters, including discussion of cybersecurity priorities, emerging risks, awareness and training programs, risk mitigation efforts, and regulatory compliance. This committee is chaired by our Vice President – Internal Audit and Corporate Compliance and is composed of a cross-functional team of senior leaders, including our CEO. The committee generally meets quarterly and is supported by our Security and Technology Risk Leadership Committee and our Privacy and Data Governance Committee. The activities of the Data Security and Privacy Governance Committee are reported to the Audit Committee and/or the full Board by the Chair of the committee, as appropriate.
The Security and Technology Risk Leadership Committee provides leadership and oversight of our cybersecurity program. It is chaired by our CISO and composed of Company technology leaders as well as a cross-functional group of representatives from other departments. Our Privacy and Data Governance Committee provides leadership and oversight of our privacy and data governance programs. It is chaired by our Chief Privacy Officer and composed of a cross-functional group across approximately 20 departments. These committees generally meet monthly or every other month and report to the Data Security and Privacy Governance Committee on a regular basis.