TJX COMPANIES INC /DE/ - (TJX)

10-K Filing Date: April 03, 2024
ITEM 1C. Cybersecurity
Risk Management and Strategy
As a global retailer, we are mindful of the ongoing risks to our IT systems and operations from various sources and have implemented processes to monitor and mitigate these risks. We have adopted a cybersecurity program designed to identify, assess, and manage material risks from cybersecurity threats and have integrated cybersecurity risk into our broader enterprise risk management framework. We incorporate third-party assessments into our risk management program using recognized standards that are relevant to our business and we periodically self-assess various functional areas of our organization.
We use a variety of strategies and techniques designed to identify cybersecurity risks and reduce the risk of unauthorized access to our organization’s confidential information (including customer, vendor, and associate data) and critical business systems. This approach includes various assessment activities (e.g. threat actor emulation and penetration testing), tabletop exercises, security awareness and training activities (e.g., simulated phishing campaigns and specialized training for cybersecurity personnel), encryption of certain types of information, and certain controls governing access to TJX facilities and systems, among other threat- and risk-based safeguards. The scope and level of our risk-based initiatives in these areas varies across functions and across the business.
We maintain an Information Management Program that is overseen by our Information Management Steering Committee (the “IMSC”), which is a cross-functional group consisting of senior leaders from areas such as IT, IT Security, Risk and Compliance, Privacy, Legal, and Audit. The IMSC is responsible for developing and updating policies to support TJX’s Information Management Program and enhance the overall privacy, information security, and records management posture of our business.
Within our IT Security department, our Security Operations Center provides threat detection and incident response capabilities. We also have an incident response plan which describes roles and responsibilities for internal stakeholders in responding to and escalating potential cybersecurity incidents. We periodically test this plan through tabletop exercises with relevant stakeholders across various functions of our business, including members of senior management.
We also have processes in place designed to identify and mitigate risks from third party technology and service providers, including, as appropriate, pre-contractual due diligence, review of contractual terms addressing cybersecurity and data protection, and periodic re-assessment based on assessed vendor risk.
Board of Directors Oversight
Our Board of Directors has oversight of the systems and processes established to report and monitor the most significant risks to our business (including those related to cybersecurity) and administers this oversight with respect to cybersecurity directly and through our Audit and Finance Committee. Our Board of Directors has oversight of our enterprise risk management program and, in addition, our Audit and Finance Committee reviews IT and cybersecurity risks and related topics with senior management on at least a quarterly basis. Significant cybersecurity risks identified by our Audit and Finance Committee are reported to the Board for review and consideration. Our Board has also had dedicated sessions during Board meetings on specific cybersecurity topics both led by our IT senior leaders and by outside advisors as part of its cybersecurity oversight practices. Additionally, outside of regular Board and committee meetings, the Chair of the IT Subcommittee of the Audit and Finance Committee meets with senior management (including the Chief Information Security Officer (“CISO”) and the Executive Vice President, Chief Information Officer (“CIO”)) on at least a quarterly basis to remain informed of and support our cybersecurity programs, including our assessment of current threats, defensive efforts, and other organizational initiatives.
Management’s Role in Managing Risk
Our information security program is overseen by our CISO, who has over thirty-five years of cybersecurity, information governance, and IT experience in critical infrastructure, private industry, and government. Our CISO reports to our CIO, who has more than twenty-eight years of global information technology leadership experience. Our CISO is informed about and monitors the prevention, detection and mitigation of cybersecurity threats through his management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
Other than the unauthorized intrusion into our network discovered late in 2006, discussed in Item 1A in this Form 10-K, we are not aware of a cybersecurity incident that resulted in a material effect on our business strategy, results of operations, or financial condition. Despite our continuing efforts, our cybersecurity safeguards may not prevent breaches or breakdowns of our or our third-party service providers’ IT systems, particularly in the face of continually evolving cybersecurity threats and increasingly sophisticated threat actors. For more information, see “Compromises of our cybersecurity, disruptions in our information technology systems, or failure to satisfy the information technology needs of our business could result in material loss or liability, materially impact our operating results or materially harm our reputation”. in Item 1A in this Form 10-K.
23