XML 50 R30.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Feb. 01, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
As a global retailer, we are mindful of the ongoing risks to our IT systems and operations from various sources and have implemented processes to monitor and mitigate these risks. We have adopted a cybersecurity program designed to identify, assess, and manage material risks from cybersecurity threats and have integrated cybersecurity risk into our broader enterprise risk management framework. We incorporate third-party assessments into our risk management program using recognized standards that are relevant to our business and we periodically self-assess various functional areas of our organization.
We use a variety of strategies and techniques designed to identify cybersecurity risks and reduce the risk of unauthorized access to our organization’s confidential information (including customer, vendor, and Associate data) and critical business systems. This approach includes various assessment activities (e.g. threat actor emulation and penetration testing), tabletop exercises, security awareness and training activities (e.g. simulated phishing campaigns and specialized training for cybersecurity personnel), encryption of certain types of information, and certain controls governing access to TJX facilities and systems, among other threat- and risk-based safeguards. The scope and level of our risk-based initiatives in these areas varies across functions and across the business.
We maintain an Information Management Program that is overseen by our Information Management Steering Committee (the “IMSC”), which is a cross-functional group consisting of senior leaders from areas such as IT, Cybersecurity, Risk and Compliance, Privacy, Legal, and Audit. The IMSC is responsible for developing and updating policies to support TJX’s Information Management Program and enhance the overall privacy, information security, and records management posture of our business.
Within our Cybersecurity department, our Security Operations Center provides threat detection and incident response capabilities. We also have an incident response plan which describes roles and responsibilities for internal stakeholders in responding to and escalating potential cybersecurity incidents. We periodically test this plan through tabletop exercises with relevant stakeholders across various functions of our business, including members of senior management.
We also have processes in place designed to identify and mitigate risks from third party technology and service providers, including, as appropriate, pre-contractual due diligence, review of contractual terms addressing cybersecurity and data protection, and periodic re-assessment based on assessed vendor risk.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] As a global retailer, we are mindful of the ongoing risks to our IT systems and operations from various sources and have implemented processes to monitor and mitigate these risks. We have adopted a cybersecurity program designed to identify, assess, and manage material risks from cybersecurity threats and have integrated cybersecurity risk into our broader enterprise risk management framework.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Our Board of Directors has oversight of the systems and processes established to report and monitor the most significant risks to our business (including those related to cybersecurity) and administers this oversight with respect to cybersecurity directly and through our Audit and Finance Committee. Our Board of Directors has oversight of our enterprise risk management program and, in addition, our Audit and Finance Committee reviews IT and cybersecurity risks and related topics with senior management on at least a quarterly basis. Significant cybersecurity risks identified by our Audit and Finance Committee are reported to the Board for review and consideration. Our Board has also had dedicated sessions during Board meetings on specific cybersecurity topics both led by our IT senior leaders and by outside advisors as part of its cybersecurity oversight practices. Additionally, outside of regular Board and committee meetings, the Chair of the IT Subcommittee of the Audit and Finance Committee meets with senior management (including the Chief Information Security Officer (“CISO”) and the Executive Vice President, Chief Information Officer (“CIO”)) on at least a quarterly basis to remain informed of and support our cybersecurity programs, including our assessment of current threats, defensive efforts, and other organizational initiatives.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Board of Directors has oversight of the systems and processes established to report and monitor the most significant risks to our business (including those related to cybersecurity) and administers this oversight with respect to cybersecurity directly and through our Audit and Finance Committee.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
Our Board of Directors has oversight of the systems and processes established to report and monitor the most significant risks to our business (including those related to cybersecurity) and administers this oversight with respect to cybersecurity directly and through our Audit and Finance Committee. Our Board of Directors has oversight of our enterprise risk management program and, in addition, our Audit and Finance Committee reviews IT and cybersecurity risks and related topics with senior management on at least a quarterly basis. Significant cybersecurity risks identified by our Audit and Finance Committee are reported to the Board for review and consideration. Our Board has also had dedicated sessions during Board meetings on specific cybersecurity topics both led by our IT senior leaders and by outside advisors as part of its cybersecurity oversight practices. Additionally, outside of regular Board and committee meetings, the Chair of the IT Subcommittee of the Audit and Finance Committee meets with senior management (including the Chief Information Security Officer (“CISO”) and the Executive Vice President, Chief Information Officer (“CIO”)) on at least a quarterly basis to remain informed of and support our cybersecurity programs, including our assessment of current threats, defensive efforts, and other organizational initiatives.
Cybersecurity Risk Role of Management [Text Block]
Our information security program is overseen by our CISO, who has over thirty-five years of cybersecurity, information governance, and IT experience in critical infrastructure, private industry, and government. Our CISO reports to our CIO, who has more than twenty-eight years of global information technology leadership experience. Our CISO is informed about and monitors the prevention, detection and mitigation of cybersecurity threats through his management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our information security program is overseen by our CISO, who has over thirty-five years of cybersecurity, information governance, and IT experience in critical infrastructure, private industry, and government. Our CISO reports to our CIO, who has more than twenty-eight years of global information technology leadership experience.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our information security program is overseen by our CISO, who has over thirty-five years of cybersecurity, information governance, and IT experience in critical infrastructure, private industry, and government. Our CISO reports to our CIO, who has more than twenty-eight years of global information technology leadership experience.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Our CISO is informed about and monitors the prevention, detection and mitigation of cybersecurity threats through his management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true