Petco Health & Wellness Company, Inc. - (WOOF)
10-K Filing Date: April 02, 2024
Cybersecurity Risk Management and Strategy
Our executive team and board of directors recognize that effective cybersecurity risk management is critical to the safety and security of our data, systems, and products and, ultimately, the long-term success of the Company. We have a comprehensive multi-layered cybersecurity risk assessment program, which covers the identification, analysis, evaluation, and management of cybersecurity risks. The program is cross-functional involving the participation and input of internal stakeholders, third-party consultants, and board oversight. The program is reviewed and updated on a semi-annual basis, or sooner if needed.
We engage in frequent and comprehensive monitoring of our systems, including network, systems, and application security monitoring integrated into a Security Information and Event Monitoring (SIEM) system. In addition, should a cybersecurity incident occur, our response plan is based on the NIST Special Publication 800-61 Revision 2 Computer Security Incident Handling Guide, and requires the following steps:
Discovery. Occurs when a potential security incident is reported. Discovery can be initiated in several ways, including by customer support, employees, business partners, as a result of IT logging and monitoring, or in response to customer or vendor correspondence. Containment is the priority in the Discovery phase.
Investigation. Occurs when the Discovery phase establishes a likelihood that the event is an actionable security incident that warrants further research and analysis. In the Investigation phase, the priority is to swiftly complete an accurate, thorough investigation of the security incident.
Response. Occurs when a security incident is a confirmed data breach; when a security incident requires the Company to take further action to protect the organization and/or affected parties whose sensitive personal information is at risk or has been compromised; or when additional administrative, physical, or technical controls are needed after a security incident. In the Response phase, the priority is to swiftly complete required notification and other procedures according to applicable law.
Closure. Occurs when the Company's incident response steering committee can review the security incident and actions taken to evaluate whether proper investigation and documentation have occurred, and the matter requires no further notice or containment. Root causes and steps to prevent future incidents have been identified.
In the Closure phase, the priority is to confirm that all necessary containment, investigation, and response tasks have been completed.
Review. Occurs after the event has been resolved. The priority in this phase is to review the investigation/response process and update this Plan based on the lessons learned.
We also have processes in place to oversee and identify risks from cybersecurity threats associated with our use of third party service providers. We classify third parties engaged by us based on risk and impact to our business. Classification is broken into tiers as follows:
Tier 1. Access to critical infrastructure, data, or services affecting critical infrastructure. Administrative or privileged access to production systems, including hosting or developing systems, applications, websites, software, or SaaS solutions.
Tier 2. Non-privileged access to Company applications.
Tier 3. No direct system access but may be associated through a partnership or have links hosted embedded within Company marketing material or websites.
Third party risk scores are weighted based on the classification tier and monitored over the course of the year. A change in risk score may trigger an audit for the third party as well as a remediation plan to address any
41
identified gaps, which our information security team oversees in conjunction with the relevant business owner for the third party relationship.
While we face a variety of cybersecurity risks, such as phishing attempts, ransomware attacks, account takeover, fraudulent order, and unauthorized access attempts, such risks have not materially affected us to date, including our business strategy, results of operations or financial condition, and we do not believe such risks are reasonably likely to have such an effect over the long term. For more information about the cybersecurity risks we face, see “Item 1A – Risk Factors - Our reputation and business may be harmed if our or our vendors’ computer network security or any of the databases containing customer, employee, or other personal information maintained by us or our third-party providers is compromised, which could materially adversely affect our results of operations.”
Cybersecurity Governance
Our board of directors has ultimate oversight of our risk management policies and strategies. Our executive team, which is responsible for our day-to-day overall risk management practices, present to the board of directors on the various material risks to our Company, including risks related to information technology and cybersecurity.
The audit committee has formal oversight responsibility for cybersecurity, as delegated by our board of directors, and is responsible for reviewing our policies and procedures with respect to cybersecurity risk assessment and risk management. As part of the board of directors and audit committee’s oversight, our Chief Administrative Officer, Chief Technology Officer (“CTO”), and/or Chief Information Security Officer (“CISO”) provide semi-annual updates to the audit committee with respect to cybersecurity incidents, mitigation, threats, risks, and management, which are also communicated to the full board.
Our CISO, who has extensive cybersecurity knowledge and skills gained from over 25 years of work experience at the Company and elsewhere, is responsible for developing and overseeing matters related to cybersecurity and reports directly to our CTO, who is accountable for the overall information technology and security strategy of the Company. The CISO receives reports on cybersecurity threats from several experienced information security professionals responsible for various parts of the business on an ongoing basis and, in conjunction with our enterprise risk steering committee, regularly reviews risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Our CISO works closely with our legal department to oversee compliance with legal, regulatory and contractual security requirements. Our enterprise risk steering committee is comprised of key stakeholders throughout the Company and works with management and our CISO to (i) identify and review certain cybersecurity risks that we face, including the probability and impact of such risks, and (ii) identify steps needed to eliminate or mitigate such risks. In addition, we have a well-defined cybersecurity incident response plan, as described above. Finally, we have protocols by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported in a timely manner to the audit committee and the board of directors.