TRACTOR SUPPLY CO /DE/ 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

TRACTOR SUPPLY CO /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 16:06:18 EST.

Filings

10-K filed on 2024-02-23

TRACTOR SUPPLY CO /DE/ filed an 10-K at 2024-02-23 16:06:18 EST
Accession Number: 0000916365-24-000046

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity is among the most critical risks to the Company. For many activities important to its business, the Company depends on the confidentiality, integrity, and availability of information systems and data, some of which are provided or managed by third parties. The Company s Information Security and Privacy teams reduce first and third-party risk by maintaining a proactive security posture aligned with current threats, detecting cybersecurity events and responding quickly, and building procedures to rapidly recover. These teams are managed by the Vice President, Information Security and Privacy, who reports to the Executive Vice President, Chief Technology, Digital Commerce, and Strategy Officer. The Company s cybersecurity leaders have more than 25 years of relevant experience and multiple professional certifications. On behalf of the Board, the Audit Committee provides oversight of the Company s management of cybersecurity risk. The Audit Committee regularly reviews the Company s cybersecurity risks, incidents, audits, assessments, crisis readiness, awareness activities, and compliance with cybersecurity and privacy laws and regulations. The Company s Executive Vice President, Chief Technology, Digital Commerce, and Strategy Officer briefs the Audit Committee quarterly, and more often, if necessary, on active and emerging cybersecurity threats and efforts to strengthen the Company s defenses against these threats. Internal and third-party risks are reviewed, monitored, and managed by the Company’s Cybersecurity and Privacy teams, audited by an Internal Audit team and various external experts, and tracked within an Enterprise Risk Management framework. The Company regularly engages third-party experts to assess the effectiveness of its cybersecurity programs. Biennially, an external independent consultancy team conducts a comprehensive review of the Company’s cybersecurity program using the NIST Cybersecurity Framework. Targeted assessments are conducted regularly by internal and third-party experts to ensure compliance with specific federal and state laws and regulations. Additionally, the Company is assessed annually by an independent third party for compliance with the PCI-DSS standard, for which the Company receives an attestation of compliance. 24 Table of Con tents The Company s processes for identifying and managing first and third-party risks from cybersecurity threats include: Continuous monitoring of the Company s systems and network for cybersecurity events; Regular testing of the Company s Security Incident Response Plan, Business Continuity plans, and Disaster Recovery plans; Required annual security training for team members with access to Company email, as well as tailored training for team members in more sensitive roles. Periodic testing to ensure the security training is effective. An external managed security services provider and industry-leading security tools continuously monitor the Company s systems and network for cybersecurity threats. The Company s cybersecurity teams evaluate the escalated threats, and if necessary, take steps to contain and recover from pervasive threats in accordance with the Company s Security Incident Response Plan. The plan includes reporting and escalation procedures to inform the Executive Committee, Audit Committee, and full Board, as appropriate to enable them to carry out their oversight responsibilities, and to ensure timely compliance with applicable reporting rules. The Company s Business Continuity Management and Disaster Recovery plans include procedures for business recovery and are tested regularly. The Company s security awareness program seeks to create a culture of shared responsibility for the security of sensitive data and systems. This is accomplished through mandatory annual security training for team members with access to Company email as well as tailored training for team members in more sensitive roles. Periodic testing ensures the training is effective. In addition, all team members have access to a variety of training materials on security topics through the Company s training management system. 25 Table of Con tents

Company Information