XML 54 R37.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Feb. 01, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
We have developed and integrated into our overall risk management program an information security program that is designed to address material risks from cybersecurity threats. Our program includes policies and procedures that identify how security measures and controls are developed, implemented and maintained. A cybersecurity risk assessment, based on an internationally recognized methodology, is conducted annually.
The cybersecurity risk assessment process includes three parts: (1) identification of assets such as information, services, software and their dependencies, (2) an assessment of the criticality of the assets based on factors of confidentiality, integrity and availability, and (3) an assessment of other criteria to determine the impact a threat can have on each asset and the likelihood that such a threat occurs. Based on the risk assessment process, risk-based analysis, and using an internationally recognized information security framework as a reference, security controls are chosen.
Specific controls that are used to some extent as part of the information security program include endpoint threat detection and response, privileged access management, logging and monitoring involving the use of security information and event management with monitoring by a security operations center, multi-factor authentication, firewalls and intrusion detection and prevention, vulnerability and patch management, and security awareness training for employees and long-term consultants. Third-party security firms are used in different capacities to provide or operate some of these controls and technology systems, including cloud-based platforms and services. For example, we have used third parties to conduct independent assessments, such as vulnerability scans and penetration testing. We use a variety of processes to address cybersecurity threats related to the use of third-party technology and services, including pre-acquisition diligence, imposition of contractual obligations, and performance monitoring.
We have a written incident response plan that uses a severity classification process to identify incidents to escalate to executive management and determine whether the impact of the incident is material. We also conduct periodic trainings and tabletop exercises to enhance incident response preparedness. We are a member of an industry cybersecurity intelligence and risk sharing organization. Employees undergo initial cyber security awareness training when hired and maintenance cybersecurity awareness training annually.
To date, we do not believe that known risks from cybersecurity threats, including as a result of any previous cybersecurity incidents that we are aware of, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, we can give no assurance that we have detected or protected against all cybersecurity incidents or cybersecurity threats. Please refer to “—Risks Related to Data Privacy and Cybersecurity” in “Item 1A. Risk Factors” of this Annual Report for additional information about the risks we face associated with cybersecurity threats.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
We have developed and integrated into our overall risk management program an information security program that is designed to address material risks from cybersecurity threats. Our program includes policies and procedures that identify how security measures and controls are developed, implemented and maintained. A cybersecurity risk assessment, based on an internationally recognized methodology, is conducted annually.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] Oversight of the information security program at the Board level sits with the Audit Committee. The Audit Committee is informed of cybersecurity-related risks through the CISO providing quarterly updates on the information security program and more frequently as circumstances require.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Oversight of the information security program at the Board level sits with the Audit Committee.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee is informed of cybersecurity-related risks through the CISO providing quarterly updates on the information security program and more frequently as circumstances require.
Cybersecurity Risk Role of Management [Text Block]
The Chief Information Security Officer (“CISO”) is the management position with primary responsibility for the development, operation, and maintenance of our information security program, which includes cybersecurity. Our CISO has cybersecurity experience that includes being a lead auditor for ISO/IEC 27001 and ISO 22301 with knowledge of both operations and governance. He previously served as Chief Technology Officer for an international managed security service provider, during which time he served as Virtual CISO, Incident
manager and security auditor for several multinational companies. We have established a Cybersecurity Steering Committee to provide a management-level oversight of cybersecurity. The Cybersecurity Steering Committee reviews the annual risk assessment and provides comments on the overall information security program. Oversight of the information security program at the Board level sits with the Audit Committee. The Audit Committee is informed of cybersecurity-related risks through the CISO providing quarterly updates on the information security program and more frequently as circumstances require.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The Chief Information Security Officer (“CISO”) is the management position with primary responsibility for the development, operation, and maintenance of our information security program, which includes cybersecurity.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our CISO has cybersecurity experience that includes being a lead auditor for ISO/IEC 27001 and ISO 22301 with knowledge of both operations and governance. He previously served as Chief Technology Officer for an international managed security service provider, during which time he served as Virtual CISO, Incident manager and security auditor for several multinational companies.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] We have established a Cybersecurity Steering Committee to provide a management-level oversight of cybersecurity. The Cybersecurity Steering Committee reviews the annual risk assessment and provides comments on the overall information security program.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true