NORDSTROM INC 10-K Cybersecurity GRC - 2024-03-19

Page last updated on April 11, 2024

NORDSTROM INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-19 17:28:26 EDT.

Filings

10-K filed on 2024-03-19

NORDSTROM INC filed an 10-K at 2024-03-19 17:28:26 EDT
Accession Number: 0000072333-24-000031

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Nordstrom understands that establishing, executing and sustaining effective cybersecurity measures to secure our information systems and preserve the confidentiality, integrity and availability of our data is critical to the success of the business. Management of Material Risks and Integrated Overall Risk Management Our comprehensive risk management framework is intended to strategically incorporate cybersecurity risk management across the company, with the objective of ensuring that cybersecurity considerations underpin the decision-making processes at all organizational levels. Our risk management team collaborates closely across various Enterprise-wide business units to continually assess and address identified cybersecurity risks in alignment with business objectives. The CISO regularly updates the CTIO, Chief Financial Officer and Chief Executive Officer on material cybersecurity risks and events. Engagement with Third Parties on Management of Cybersecurity Risk Recognizing the dynamic nature of cybersecurity threats, Nordstrom collaborates with external experts, including assessors, consultants and examiners, to evaluate and test our cybersecurity risk preparedness. Regular exams, threat assessments and consultation on security enhancements with these third parties ensure that our cybersecurity strategies align with industry best practices. Oversight of Third-party Risk In the course of our business, we regularly exchange data and information with certain third parties in various ways, exposing us to risk related to the cybersecurity posture of and information management practices of those third parties. To try to mitigate this risk, we have implemented processes that may, depending upon the nature of the relationship with the third party, require security assessments and data integration design reviews prior to allowing our systems to connect with theirs. In addition, we seek to require these third parties to adhere to pre-established cybersecurity standards. Where applicable, we try to obtain contractual commitments with those third parties to ensure these security requirements are met. Risks from Cybersecurity Threats Nordstrom has not experienced any cybersecurity incident that has materially impacted, or that is reasonably likely to materially impact, our operations, financial condition and cash flows. Cybersecurity Risk Management Personnel Primary responsibility for assessing, monitoring, mitigating and managing our cybersecurity risks rests with our information security organization, led by our CISO and supported by our CTIO. The CISO, who has over 20 years of cybersecurity and technology expertise, supports a skilled information security organization that brings expertise in vulnerability management, incident response, penetration testing, regulatory compliance and other critical information security domains. Our information security team maintains certifications from recognized external security authorities such as ISC2, CompTIA, ISACA, GIAC, SANS, PCI and OffSec. The security program is assessed annually by a reputable third party to provide guidance for continuous improvement. Monitoring and Responding to Cybersecurity Incidents The security organization stays informed about the latest developments in cybersecurity, implements processes for regular monitoring of information systems and deploys relevant security measures. In the event of a cybersecurity incident, a formal incident response plan is in place for immediate actions and long-term strategies. Board of Directors Oversight The Board of Directors has oversight responsibilities regarding cybersecurity risk. At regularly scheduled meetings (at least quarterly), in addition to such additional interactions as may be necessary in specific circumstances, our Chief Executive Officer, CTIO and CISO update the Board on emerging cybersecurity risks and developments impacting Nordstrom. Nordstrom, Inc. and subsidiaries 21 Table of Contents

Company Information