Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Jan. 30, 2026 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | We maintain a robust cybersecurity program that we have designed with the goal of identifying, deterring, detecting, responding to, and managing potential cybersecurity risks and threats. Risk Management and Strategy Risk management is a central part of our cybersecurity program. We conduct regular risk assessments and monitor our information systems for potential vulnerabilities. We employ a risk quantification model to identify, measure, and prioritize cybersecurity and technology risks, and we implement corresponding security controls and safeguards based on model outputs. As part of our focus on the use of AI technology in our business, we developed an AI cybersecurity strategy designed to enable the building of secure and reliable AI systems while also managing ethical, legal, cyber, data privacy, and other technology risks. The Company also established an AI Governance Committee, which is composed of leaders across a variety of business, technology, and support functions, to oversee and approve ongoing enhancements to our AI governance framework. In addition to cybersecurity risks being tracked, managed, and monitored directly by the information security group, cybersecurity risks are also integrated into, and are among the risks evaluated and considered by, our enterprise risk management program. The Company’s Chief Legal Officer provides centralized oversight of our enterprise risk management program, which is managed by our Chief Compliance Officer and the Office of Enterprise Risk Management in partnership with the Enterprise Risk Council (ERC). The ERC is comprised of senior Company leaders with broad enterprise experience, including our Chief Information Security Officer (CISO). Processes and Procedures We have adopted physical, technological, and administrative controls on cybersecurity. Our risk management processes include, among others, the following features: •We leverage the National Institute of Standards and Technology security frameworks as well as established internal security standards, industry practices, and applicable regulatory requirements. Our program is designed to comply with a range of applicable industry standards, such as the Payment Card Industry Data Security Standard. •We maintain cybersecurity insurance coverage that provides protection against potential losses arising from certain cybersecurity incidents. •We require that cybersecurity awareness and data privacy training, along with company-wide and tailored training programs, be provided to associates annually. We also regularly conduct phishing and social engineering simulations, and host events to increase awareness, including an annual cybersecurity awareness summit and monthly campaigns. •We employ operational and technical measures to embed policy-driven security controls across key information security domains, including identity and access management, network security, and data protection. •We have a cybersecurity incident response plan in place which provides a framework for responding to cybersecurity incidents. Our information security team leverages technologies and vendors to monitor and respond to security threats via a dedicated security operations center. In the event of a security incident, a defined procedure outlines containment, response, and recovery actions that draw on resources and leadership across the Company, as needed. •A cross-functional team conducts periodic simulated exercises, and we perform regular vulnerability scanning and conduct vulnerability testing during the software development life cycle. •We collaborate with internal stakeholders and third-party assessors and consultants to conduct regular reviews, tests, and audits of our security program. This coordinated approach reviews security controls that safeguard our information assets, including payment information, through processes such as security control assessments and third-party penetration testing. Additionally, we utilize tabletop exercises, penetration and vulnerability testing, red team exercises, simulations, and other evaluations to improve our security measures and strategies. •We also participate in various cybersecurity and retail industry groups to remain apprised of emerging cybersecurity risks, defense, mitigation strategies, and governance best practices. Third-Party Risk Management Our cybersecurity risk management processes extend to the oversight and identification of threats associated with our use of third-party service providers. We have developed contracting processes and terms to gain commitments from certain vendors and third-party service providers to adhere to appropriate security practices and outline specific security requirements and expectations, including compliance with industry standards, applicable laws and regulations, and our internal security policies. We regularly evaluate and assess vendor risk levels based on a variety of factors, such as the nature of shared data, potential impact to business continuity, and vendors' security posture. Our processes extend beyond initial evaluations to include proactive monitoring and routine oversight. Cybersecurity incidents and risks of which we are aware as of the date of this Form 10-K have not materially affected our business strategy, results of operations, and financial condition, although we face ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our business strategy, reputation, results of operations, or financial condition. See “Risk Factors” in Item 1A of this Annual Report on Form 10-K for more information on our cybersecurity-related risks.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | We maintain a robust cybersecurity program that we have designed with the goal of identifying, deterring, detecting, responding to, and managing potential cybersecurity risks and threats. Risk Management and Strategy Risk management is a central part of our cybersecurity program. We conduct regular risk assessments and monitor our information systems for potential vulnerabilities. We employ a risk quantification model to identify, measure, and prioritize cybersecurity and technology risks, and we implement corresponding security controls and safeguards based on model outputs. As part of our focus on the use of AI technology in our business, we developed an AI cybersecurity strategy designed to enable the building of secure and reliable AI systems while also managing ethical, legal, cyber, data privacy, and other technology risks. The Company also established an AI Governance Committee, which is composed of leaders across a variety of business, technology, and support functions, to oversee and approve ongoing enhancements to our AI governance framework. In addition to cybersecurity risks being tracked, managed, and monitored directly by the information security group, cybersecurity risks are also integrated into, and are among the risks evaluated and considered by, our enterprise risk management program.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Oversight responsibility over cybersecurity risk is shared by the Board and the Audit Committee, with the Audit Committee being primarily responsible for overseeing risks related to cybersecurity, data protection, privacy, and significant emerging technology. |
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | Oversight responsibility over cybersecurity risk is shared by the Board and the Audit Committee, with the Audit Committee being primarily responsible for overseeing risks related to cybersecurity, data protection, privacy, and significant emerging technology. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | Our CDIO or CISO provide regular cybersecurity updates in the form of written reports and presentations to the Audit Committee at its quarterly meetings, which are also provided to the full Board. |
| Cybersecurity Risk Role of Management [Text Block] | Our Chief Digital and Information Officer (CDIO), our CISO, and senior members of our information security group are responsible for identifying, assessing, and managing risks from cybersecurity threats. Our CISO, who manages our cybersecurity program and receives information regarding cybersecurity incidents and threats from our information security group and through internal escalation procedures, reports to the CDIO, who reports directly to our Chairman, President, and Chief Executive Officer. The CDIO has served in various roles in information technology for over 25 years, holds undergraduate and graduate degrees in electrical and electronics engineering and computer science, and brings significant insights into cybersecurity strategies. The CISO has served in various roles in information security for over 30 years, including serving as a CISO of four public companies. The senior members of the information security group who report to the CISO have extensive experience in technology and security roles from serving with several large public companies and possess cybersecurity certifications, including Certified Information Systems Security Professional, Certified Information Security Manager, and Certified Information Systems Auditor, among others.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | Our Chief Digital and Information Officer (CDIO), our CISO, and senior members of our information security group are responsible for identifying, assessing, and managing risks from cybersecurity threats. Our CISO, who manages our cybersecurity program and receives information regarding cybersecurity incidents and threats from our information security group and through internal escalation procedures, reports to the CDIO, who reports directly to our Chairman, President, and Chief Executive Officer.
|
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | The CDIO has served in various roles in information technology for over 25 years, holds undergraduate and graduate degrees in electrical and electronics engineering and computer science, and brings significant insights into cybersecurity strategies. The CISO has served in various roles in information security for over 30 years, including serving as a CISO of four public companies. The senior members of the information security group who report to the CISO have extensive experience in technology and security roles from serving with several large public companies and possess cybersecurity certifications, including Certified Information Systems Security Professional, Certified Information Security Manager, and Certified Information Systems Auditor, among others.
|
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | Our CISO, who manages our cybersecurity program and receives information regarding cybersecurity incidents and threats from our information security group and through internal escalation procedures, reports to the CDIO, who reports directly to our Chairman, President, and Chief Executive Officer. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |