BIG LOTS INC 10-K Cybersecurity GRC - 2024-04-18

Page last updated on April 19, 2024

BIG LOTS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-18 17:15:47 EDT.

Filings

10-K filed on 2024-04-18

BIG LOTS INC filed an 10-K at 2024-04-18 17:15:47 EDT
Accession Number: 0000768835-24-000026

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company has developed an information security program for assessing, identifying and managing material risks from cybersecurity threats. The program includes policies and procedures that govern how the Company s security measures and controls are developed, implemented, and maintained. The Company conducts a cybersecurity risk assessment, based on a method and guidance from a recognized national standards organization, at least annually. The Company selects the security controls it uses to address cybersecurity risks based on its annual risk assessment, additional risk-based analysis performed by the Company and its evaluation of various factors, including the likelihood and severity of risk, the impact on the Company and others if a risk materializes, the feasibility and cost of controls, and the impact of controls on operations and others. Security controls used by the Company include endpoint threat detection and response (EDR), identity and access management (IAM), privileged access management (PAM), logging and monitoring involving the use of security information and event management (SIEM), multi-factor authentication (MFA), firewalls and intrusion detection and prevention, and vulnerability and patch management. The Company engages third-party security firms to provide or operate some of these security controls and technology systems. For example, third parties conduct assessments such as vulnerability scans and penetration testing. The Company uses a variety of processes to address cybersecurity threats related to the use of third-party technology and services, including pre-acquisition diligence, imposition of contractual obligations, and performance monitoring. The Company has a written incident response plan and periodically conducts tabletop exercises to enhance incident response preparedness. The Company also maintains business continuity and disaster recovery plans to prepare for a potential disruption in technology. The Company is a member of an industry cybersecurity intelligence and risk sharing organization. Employees undergo security awareness training when hired and at least semi-annually thereafter. The Company has an Enterprise Risk Management (ERM) function to address enterprise risks, including cybersecurity. ERM is led by our Enterprise Risk Council, which consists of members of the CEO s staff. The Risk Council oversees the design and execution of the ERM function to allow for the identification, assessment, prioritization, management, monitoring and reporting of material risks. This includes an annual risk assessment and quarterly updates of the risk profile given current operating conditions. The Risk Council meets quarterly and provides reporting to the Board of Directors and relevant Board Committees given the nature of specific risks identified, which includes cybersecurity risk. The Company may not be able to fully, continuously, and effectively implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine the security controls we implement and it is possible that we may not implement appropriate controls if we do not recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate risks. Events, when detected by security tools or third parties, may not always be immediately understood or acted upon. Governance. Our Chief Information Security Officer (CISO) has primary responsibility for the development, operation, and maintenance of our information security program, including assessing and managing risk from cybersecurity threats. The Company s CISO has 30 years of information technology experience, with 17 years focused specifically on information security and risk management. He combines organizational management and leadership skills with a high degree of technical knowledge, the result of hands-on information technology and security experience. The CISO provides regular security updates to key members of our management team, quarterly Audit Committee briefings, and ad-hoc security updates if a situation requires. Security Risk Assessment results are provided to both the Enterprise Risk Council as well as the Audit Committee as part of the quarterly briefings. The Board of Directors has delegated oversight of the information security program to the Audit Committee. The Company is not aware of any cybersecurity threat or any material cybersecurity data breach to date, including as a result of any previous cybersecurity incidents, that has materially affected or is reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. 18 Table of Contents

Company Information