BJ's Wholesale Club Holdings, Inc. 10-K Cybersecurity GRC - 2024-03-18

Page last updated on April 11, 2024

BJ’s Wholesale Club Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-18 16:12:25 EDT.

Filings

10-K filed on 2024-03-18

BJ’s Wholesale Club Holdings, Inc. filed an 10-K at 2024-03-18 16:12:25 EDT
Accession Number: 0001531152-24-000026

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cyber Risk Management and Strategy At BJ s, we recognize the importance of information security practices designed to protect the confidentiality, integrity, and availability of company information and the personal information that our members share with us. We have implemented a cybersecurity program in accordance with our risk profile and business that is informed by recognized industry standards and frameworks, and incorporates elements of the same, including elements of the National Institute of Standards and Technology Cybersecurity Framework ( NIST CSF ), International Organization for Standardization ( ISO ) 27001 and Payment Card Industry Data Security Standard ( PCI DSS ) standards. Our cybersecurity risk assessment program includes a number of components, including information security program assessments, audits and maturity assessments, that are conducted periodically by both internal and external resources. Our internal audit function also conducts regular assessments of different systems to provide the audit committee with information on our cybersecurity risk management processes. As part of our cybersecurity risk management program, we take a risk-based approach to the evaluation of third-party vendors, and apply mitigations and processes based on our evaluation of the sensitivity of the data accessed by the vendor and the maturity of the vendor s programs. Our vendor evaluation procedures include, as appropriate, the completion of a vendor security questionnaire and our implementation of vendor monitoring programs. We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business 29 strategy, results of operations, or financial condition. However, like other companies in our industry, we and our third-party vendors have from time-to-time experienced threats and security incidents that could affect our information or systems. Governance Related to Cybersecurity Risks Our Chief Information Officer ( CIO ) is responsible for the strategic leadership and direction of the Company s information technology organization. Prior to joining BJ s in 2023, our current CIO served as global chief information officer at a public healthcare company, where she led information technology, privacy assurance, cyber, digital and data security across key business units. She has also held various chief information officer and technology leadership roles at several other healthcare companies and a multinational pharmaceutical corporation, along with other senior management positions during her career. The CIO and the VP of IT Security and Compliance regularly report to senior management and the board on the governance aspects of our data security program. The CIO and the VP of IT Security and Compliance are also members of our information security steering committee, which is comprised of executives throughout the Company who oversee areas such as finance, operations, legal, human resources, strategy and development, digital, and commercial. This committee meets regularly to, as relevant, discuss oversight of the Company s cybersecurity program, program enhancements and new risks or threats that the Company might be facing. The board of directors has overall responsibility for risk oversight, including, as part of regular board meetings, general oversight of executives management of risks relevant to the Company. The VP of IT Security and Compliance provides an annual cybersecurity update to the board. While the full board has overall responsibility for risk oversight, it is supported in this function by various committees, including principally its audit committee. The audit committee, pursuant to its charter, is responsible for overseeing risk management processes related to cybersecurity. The audit committee assists the board in fulfilling its risk oversight responsibilities by periodically reviewing our enterprise risk management program. Through its meetings with management, including the compliance and information technology functions, the audit committee reviews and discusses significant areas of our business and summarizes the key areas of risk and relevant mitigating factors for the board.

Company Information