ROSS STORES, INC. 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

ROSS STORES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 17:40:06 EDT.

Filings

10-K filed on 2024-04-01

ROSS STORES, INC. filed an 10-K at 2024-04-01 17:40:06 EDT
Accession Number: 0000745732-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY RISK RISK MANAGEMENT AND STRATEGY We have a cybersecurity program that is intended to assess, identify, and manage material risks from cybersecurity threats to our business. Our program includes policies and procedures for detection, assessment, response, mitigation, remediation, and reporting of cybersecurity incidents and threats. Overall, our cybersecurity program is a strategic component of our company-wide risk management framework and activities . Our cybersecurity program is led by our Information Technology (IT) team. The IT team is principally responsible for developing, managing, and implementing our cybersecurity risk assessment processes, maintaining and implementing our incident response plans, selecting and implementing security controls, providing cybersecurity training, performing ongoing threat analysis, and responding to cybersecurity threats and incidents. The cybersecurity program also draws upon a combination of industry frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework, that are designed to help companies measure their security posture, reduce cybersecurity risks, and provide guidance for implementing effective security controls. Our risk management approach and processes for cybersecurity extend to assessing and managing risks from cybersecurity threats associated with our use of third-party service providers, by employing vetting processes, including the conducting of security assessments and monitoring activities, to verify that third-party service providers adhere to our policies and contractual requirements. In addition, we engage and work with a range of third-party advisors, including cybersecurity consultants, legal counsel, and auditors, to help us assess, test, and otherwise assist in the development and review of our cybersecurity processes. These relationships enable us to benefit from specialized knowledge and insights to help inform our cybersecurity strategies. As of April 1, 2024, to our knowledge, our business strategy, results of operations, and financial condition have not been materially affected by risks from cybersecurity threats or previously identified cybersecurity incidents, but there is no assurance that we will not be materially affected in the future by such risks or future incidents. For more information on our cybersecurity related risks, see ITEM 1A. RISK FACTORS. GOVERNANCE Our Board of Directors exercises general oversight of our risk management activities, including our cybersecurity program. With respect to risks related to cybersecurity, our Board of Directors has delegated the primary oversight responsibility to the Audit Committee. The Audit Committee, along with management, reports to the full Board of Directors on these matters throughout the year. The Audit Committee receives quarterly cybersecurity reports and engages directly with our management team, including our Chief Capability Officer (CCO), Chief Information Officer (CIO) and Chief Information Security Officer (CISO), on cybersecurity risk management and related risk topics, including incident response and recovery protocols, associate trainings and awareness, recent Company and industry developments, and our related compliance programs and practices. Our cybersecurity program and practices are also evaluated through various internal and third-party audits and assessments, with the results reported to the Audit Committee. Our CIO and CISO are principally responsible for assessing and managing our material risks from cybersecurity threats, reporting to our CCO. They lead efforts to prevent, identify, detect, mitigate, and remediate material cybersecurity risks and incidents through various means, including by receiving alerts and reports produced by security tools deployed in our IT systems. Together, our CIO and CISO have decades of experience in cybersecurity and in retail, including leadership experience in cybersecurity risk management, incident response and recovery, compliance, governance, IT systems and technology, and overall cyber defense methodologies.

Company Information