AUTOZONE INC 10-K Cybersecurity GRC - 2024-10-28

Page last updated on October 28, 2024

AUTOZONE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-28 16:54:30 EDT.

Filings

10-K filed on 2024-10-28

AUTOZONE INC filed a 10-K at 2024-10-28 16:54:30 EDT
Accession Number: 0001558370-24-013758

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Program We recognize the importance of assessing, identifying, and managing material risks from cybersecurity threats and have implemented various processes and safeguards to aid in such efforts. Our program encompasses people, processes, and technologies to safeguard our systems, data, and business from cybersecurity threats. Our program prioritizes threat mitigation and risk management, while focusing on maintaining the integrity and resilience of our systems. Our program is informed by industry standards, including the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF), the American National Standards Institute encryption standards and the Payment Card Industry Data Security Standard. As part of our cybersecurity strategy, we regularly engage independent, outside expertise to assess and benchmark our overall program against these industry standards. AutoZone, with the assistance of our managed security service provider, continuously monitors our threat intelligence and events within our digital environments. We employ a variety of methods designed to test and improve our controls, including vulnerability scanning, penetration testing, and attack simulation testing. We have an incident response plan which sets forth procedures to investigate, respond to, contain, and remediate incidents with the support of a cross-functional team. The incident response plan also outlines a process for escalating and communicating incidents to members of management. During the contract review and vendor engagement process, we assess vendors’ adherence to appropriate security practices, requirements, and expectations, including compliance with industry standards and applicable laws and regulations. We also engage a third-party to monitor certain service providers so that we may be alerted of important events that would impact such party’s risk profile. We have an Information Security Awareness program which seeks to educate our employees on security risks and best practices through training, internal communications, and security awareness campaigns. We maintain cybersecurity insurance coverage that may protect us from losses in connection with certain cybersecurity incidents. Cybersecurity Risks While we have not experienced a material breach of our information systems or data to date, unauthorized parties have in the past gained access and exfiltrated data. Any future incident could significantly disrupt our operations and key business processes, result in the impairment, loss, unauthorized access of critical or sensitive data, be costly and resource-intensive to remedy; harm our reputation and relationship with customers, AutoZoners, vendors and other stakeholders; and have a material adverse impact on our business and operating results. See “Information Technology, Cybersecurity and Data Privacy Risks” in Item 1.A., Risk Factors for additional information related to cybersecurity risks. Governance The cybersecurity risk management program is integrated into our broader enterprise risk management framework, which allows our senior management team, with oversight of our Board, to develop a more holistic view of our risk exposure and prioritize and manage such risks accordingly. AutoZone’s Chief Information Security Officer (CISO) reports directly to our Chief Information Officer and Senior Vice President of Information Technology. Our CISO has over 25 years’ experience in IT, with almost 20 years in dedicated Information Security leadership roles. He has experience across a broad range of industries and holds credentials including the Certified Information Systems Security Professional and the CERT Certificate in Cybersecurity Oversight from the National Association of Corporate Directors. The Audit Committee is responsible for overseeing the company’s enterprise risk management program, including cybersecurity risks. At its quarterly committee meetings, the Audit Committee reviews and discusses cybersecurity matters directly with our CISO, including relevant cybersecurity risks, changes to AutoZone’s threat landscape, risk mitigation strategies, cybersecurity program assessments and results, and cybersecurity roadmap and progress.

Company Information