COSTCO WHOLESALE CORP /NEW 10-K Cybersecurity GRC - 2024-10-08

Page last updated on October 9, 2024

COSTCO WHOLESALE CORP /NEW reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-08 18:40:07 EDT.

Filings

10-K filed on 2024-10-08

COSTCO WHOLESALE CORP /NEW filed a 10-K at 2024-10-08 18:40:07 EDT
Accession Number: 0000909832-24-000049

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C-Cybersecurity Risk Management and Global Strategy We have implemented processes, technologies, and controls to seek to assess, identify, and manage risks associated with cybersecurity threats. Management considers cybersecurity risks within our overall approach to enterprise risk management. We evaluate these risks based on several frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), Center for Internet Security (CIS) 18 Critical Security Controls, and the Payment Card Industry Data Security Standard (PCI DSS). Our governance policies, including our Information Security Policy, outline high-level objectives designed to meet compliance and regulatory requirements. We undertake a bi-annual NIST CSF and CIS 18 Critical Security Controls assessment, conducted by a third-party, to measure our program maturity. We have implemented a variety of technologies, leveraging third-party security providers for some, and engage in multiple activities to seek to identify and mitigate vulnerabilities and risks in systems. These include, among other activities, scanning for common vulnerabilities and exposures, penetration tests on internal and external networks, code scans on applications, allowed application listing, configuration management tools, employee awareness and training, and internal and external audits. We also review, with various frequencies, on a risk-based priority select third parties with whom we do business, in an effort to reduce the likelihood of security incidents or business interruptions. We maintain cybersecurity insurance that would apply to certain losses arising from significant security incidents. We maintain a security operations center, supported by external providers and our employees, which provides threat detection and incident response capabilities. We maintain cyber incident response plans and related playbooks, for execution by our information security team, in coordination with stakeholders (including legal counsel). Significant incidents will be escalated to a Cybersecurity Materiality Committee to assess materiality based on qualitative and quantitative factors. The Committee is composed of a cross-divisional group of executives representing the core business functions of Information Technology and Security, Operations, Administration, Finance and Accounting, and Legal. We conduct periodic tabletop exercises, including at the executive level, to test our response processes and incident management procedures. Governance Our Board of Directors has delegated certain responsibilities to the Audit Committee of the Board. The Audit Committee reviews and discusses with management the identification and mitigation of cybersecurity risks, including (among other things) the effectiveness of risk-management policies and practices designed to help safeguard our operations, financial systems, and data. Our Vice President of Information Security and Chief Information Security Officer (CISO) presents cybersecurity-related topics, including program maturity progress, regularly to the Audit Committee. The Internal Audit team, in its periodic compliance and risk assessment updates to the Audit Committee, also reports on its reviews of certain of our cybersecurity risk exposures, controls, and management actions. The full Board also receives cybersecurity evaluations from time to time. Our information security organization is led by our CISO, who has over eighteen years of relevant experience, serving in leadership roles across the retail and technology sectors. The CISO is responsible for all aspects of our cybersecurity program, including cybersecurity engineering and architecture, cybersecurity operations, incident response, threat intelligence, identity and access management, cybersecurity risk and compliance, and vulnerability management. Our CISO reports to our Chief Information and Digital Officer (CIDO), who has more than thirty years’ experience in which he has led global digital responsibilities, including leading global cyber teams. Our CIDO reports to the Chief Executive Officer. Risks from Material Cybersecurity Threats We and our third-party service and merchandise providers have experienced cybersecurity incidents and threats. Based on the information available as of the date of this Form 10-K, we are not aware of any risks from actual cybersecurity incidents that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. It is possible that there have been intrusions into our systems that have not been identified by our controls and procedures and that might manifest in significant events at a later time. There can be no guarantee that the actions and controls we and our third-party service providers have implemented and are implementing will be sufficient to protect our systems, information or other property. See “Risk Factors” in Item 1A of this Form 10-K for more information on our cybersecurity-related risks.

Company Information