DOLLAR TREE, INC. 10-K Cybersecurity GRC - 2024-03-20

Page last updated on April 11, 2024

DOLLAR TREE, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-20 16:30:22 EDT.

Filings

10-K filed on 2024-03-20

DOLLAR TREE, INC. filed an 10-K at 2024-03-20 16:30:22 EDT
Accession Number: 0000935703-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Although we have operational safeguards in place, we still face significant risks from cybersecurity threats, as the number of cyberattacks targeting retailers and corporate networks grows, and the volume, intensity and sophistication of attempted attacks, intrusions, and threats from around the world increase daily. We (and third parties upon whom we rely) may be unable to implement security controls fully, continuously, and effectively as intended. As described above, we utilize a risk-based approach that focuses on proactively preventing security risks followed by prompt detection and containment of risks identified. Security controls, no matter how well designed or implemented, may only mitigate, and not fully eliminate risks. In addition, events, when detected by security tools or third parties, may not always be immediately understood or acted upon. If our technology systems, networks, or information are compromised by malicious software, ransomware, or other cyberattacks, we could lose critical data or confidential information of our customers, vendors or associates, experience disruptions in our ability to distribute and sell merchandise and manage inventories, incur substantial remediation costs and/or become subject to negative publicity, costly government actions or litigation. Notwithstanding the deliberate approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. Governance Our Audit Committee, which includes a member with cybersecurity experience, oversees our management of risks relating to information security and data privacy. At least semiannually, the Audit Committee is responsible for reviewing and discussing our risk exposures related to information security and data privacy with management. These management updates are designed to inform the Audit Committee of any potential risks relating to information security or data privacy and any relevant mitigation or remediation tactics being implemented. In addition, as part of our regular enterprise risk management assessments, cybersecurity risks are reported to and assessed by the Enterprise Risk Committee, comprised of senior leadership from key business functions. 22 Table of Contents To more effectively prevent, detect and respond to information security threats, we have a dedicated Chief Information Security Officer ( CISO ) whose team is responsible for our overall information security, cyber risk, and business continuity. The CISO brings over 25 years of extensive experience in information technology and information security and serves as the designated executive leader for cyber or data-related incident response activities. Our CISO s experience includes leading cybersecurity programs for Fortune 100 companies. In addition to the CISO, the Chief Information Officer and Chief Legal Officer are responsible for overseeing risks related to cybersecurity and data privacy. Our Chief Information Officer s experience includes more than 25 years of leading all information technology strategies and operations and oversight of IT systems for various Fortune 100 companies, and our Legal Department has personnel specializing in data privacy and cybersecurity who assist our team in assessing and managing cybersecurity risks. We have a Cybersecurity Incident Response Plan that is integrated into our crisis management program. The plan provides protocols for evaluating and responding to cybersecurity incidents, including incident disclosure and reporting, notification to senior management and relevant committees, and meeting external reporting obligations. The plan is reviewed and updated regularly by our CISO and Chief Legal Officer to ensure its continued effectiveness. We recently performed tabletop exercises where we performed walkthroughs of cyber incident situations to test our response plan. We plan to continue testing on a periodic basis going forward.

Company Information