Walmart Inc. 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

Walmart Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 16:54:48 EDT.

Filings

10-K filed on 2024-03-15

Walmart Inc. filed an 10-K at 2024-03-15 16:54:48 EDT
Accession Number: 0000104169-24-000056

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Walmart seeks to build and maintain the trust of customers, associates, shareholders and other stakeholders with respect to our use of technology and data. Our digital trust commitments, in line with our Company’s values of service, excellence, integrity and respect for the individual, provide a foundation for our approach to cybersecurity. 28 The Board of Directors, committees of the Board of Directors and management coordinate risk oversight and management responsibilities, and cybersecurity represents an important component of our overall approach to enterprise risk management. In general, we seek to address cybersecurity risks through a cross-functional approach focused on protecting business operations and preserving the confidentiality, integrity and availability of information by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Board of Directors’ oversight of risks from cybersecurity threats Our Board of Directors, which has primary responsibility for overseeing risk management, has delegated risk management oversight responsibility for information systems, information security, data privacy and cybersecurity to the Audit Committee. Several of our Board members, including certain members of our Audit Committee, have backgrounds or professional experience in risk management, digital platforms, information technology or cybersecurity. The Audit Committee receives periodic updates from our Chief Information Security Officer (“CISO”), Chief Technology Officer (“CTO”) and other members of management on risks related to information systems, information security, data privacy and cybersecurity. Specific topics may include updates to our company’s approach to cybersecurity risk management recent developments key initiatives the threat landscape trends and the results of certain assessments and testing. The Board of Directors receives regular reports from the Audit Committee chair on these and other risk-related matters as deemed necessary. Our CISO or other members of management provide information to the Audit Committee pursuant to risk-based escalation protocols for cybersecurity incidents that exceed established reporting thresholds. Management’s role in assessing and managing material risks from cybersecurity threats Our CISO leads Walmart’s Information Security organization and has responsibility for overseeing our Company’s cybersecurity program. To operationalize our program, we deploy multidisciplinary teams, including cybersecurity personnel and professionals, to address cybersecurity threats and respond to cybersecurity incidents, including for those non-wholly owned subsidiaries whose systems have not been fully integrated into Walmart’s networks. Through ongoing engagement with these teams and certain third-party service providers, our CISO monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and reports cybersecurity incidents that reach established thresholds to senior management and the Audit Committee, which are also analyzed for external reporting requirements. Our CISO has been a Walmart associate for over 30 years, has served in various roles in information technology and information security at Walmart for almost 20 years, and has received industry-recognized information security certifications. Our CTO, to whom the CISO reports, has served as Walmart’s CTO since 2019 and prior to that had experience managing technology and other risks at several other large public companies. Risk Management and Strategy Our cybersecurity program is informed by various industry frameworks including the National Institute of Standards and Technology Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (NIST-CSF Version 1.1), which are reflected in our related policies, standards, processes and practices. We may implement changes to our cybersecurity program when deemed necessary based on updates to industry standards among other things. We have multiple layers of security designed to detect and block cybersecurity events, as well as dedicated teams of cybersecurity personnel and professionals, which assist our CISO in helping to assess, identify, monitor, detect and manage cybersecurity risks, threats, vulnerabilities and incidents. We collaborate with public and private entities and industry groups and engage third-party service providers to expand the capabilities and capacity of our cybersecurity program when deemed necessary. Certain key components of our cybersecurity program include the following: Protecting our technology and information systems: When we implement significant changes to our technologies or information systems, we conduct risk-based security and privacy impact assessments and deploy technical safeguards that are designed to reasonably protect our technology and information systems from cybersecurity threats. We actively monitor and proactively research potential cybersecurity threats to our technologies and information systems. We use what we learn to evolve our security controls over time to mitigate risks posed by such threats. Incident response and recovery planning: We maintain incident response and recovery plans that address our response to cybersecurity incidents, including incidents that we become aware of at third parties that support our operations. These plans guide how we evaluate and assign incident severity levels and reporting thresholds escalate and engage incident response teams and manage and mitigate the related risks. Third-party risk management: We maintain a risk-based approach to identifying and managing cybersecurity threats presented to Walmart by third-party systems that support our operations, as well as third-party users of our data and systems, including vendors, service providers and subcontractors. Training and awareness: We provide recurring information security training (which includes cybersecurity training) to our associates and certain third parties based on access, risk, roles, policies, standards and behaviors. 29 Assessments and testing: We engage in periodic assessment and testing of our policies, standards, processes and practices that are designed to address cybersecurity threats. These efforts include tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We regularly engage third parties to assist with our assessments and testing. Where appropriate we adjust our cybersecurity policies, standards, processes and practices accordingly based on internal and external assessment and testing results. Certain of Walmart’s systems and those of our third-party service providers have experienced cybersecurity incidents and threats. Based on the information available as of the date of this Annual Report on Form 10-K, we are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Despite our security measures, however, there can be no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that will materially affect us. Additional information about cybersecurity risks we face is discussed in " Item 1A . Risk Factors ," which should be read in conjunction with the information above.

Company Information