DICK'S SPORTING GOODS, INC. 10-K Cybersecurity GRC - 2025-03-27

Page last updated on March 27, 2025

DICK’S SPORTING GOODS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-27 16:05:50 EDT.

Company Summary

Dick’s Sporting Goods, Inc. is an American chain of sporting goods stores founded in 1948 by Richard “Dick” Stack. It is the largest sporting goods retailer in the United States. (Source: Wikipedia)

Filings

10-K filed on 2025-03-27

DICK’S SPORTING GOODS, INC. filed a 10-K at 2025-03-27 16:05:50 EDT
Accession Number: 0001089063-25-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management/Strategy The protection of our data, including athlete and teammate data, is critical to the Company’s strategy of being a trusted advisor throughout the athlete and teammate experience. Cybersecurity is integrated into the Company’s Enterprise Risk Management framework and is overseen by management and the Audit Committee. The Company’s Cybersecurity team, led by the Company’s Chief Information Security Officer (“CISO”), works in close partnership with multiple internal constituencies to monitor and focus on current and emerging data security matters across the Company and with third parties while implementing and enabling industry-accepted cybersecurity risk management and compliance frameworks and programming, including the NIST Cybersecurity Framework. Internal and third-party risks are reviewed, monitored, and managed by the Company’s Cybersecurity and Privacy teams, audited by an Internal Audit team and various external parties. The Company regularly engages third-party experts to assess the effectiveness of its cybersecurity programs. Additionally, the Company continually invests in skilled personnel; recurring training, processes, and procedures; insurance coverages; and numerous technologies to keep pace with current threats; trends; and an ever-evolving legal, regulatory, compliance, and risk landscape with respect to cybersecurity. The Company has implemented a Cybersecurity Incident Response Plan (the “IR Plan”) and framework to appropriately detect, contain and respond to cybersecurity incidents. The IR Plan identifies protocols for incident classification, the use of third-party service providers where applicable, processes for notification and internal escalation of information to senior management and the Audit Committee, and processes for materiality review. The IR Plan is reviewed and updated, as necessary, under the leadership of the Company’s CISO. Additionally, the Company maintains processes to assess the risks associated with third parties that store, transmit, or process sensitive Company data. As of the date of this Annual Report on Form 10-K, cybersecurity threats, including the results of any previous cybersecurity incidents, have not materially affected the Company, its business strategy, results of operations or financial condition. While we have no knowledge of any material data security breaches to date, any compromise of our data security could result in a violation of applicable privacy and other laws or standards, significant legal and financial exposure beyond the scope or limits of our insurance coverage, interruption of our operations, increased operating costs associated with remediation, equipment acquisitions or disposal, added personnel, and a loss of confidence in our security measures, which could harm our business, athlete experience, reputation or investor confidence. See Item 1A. “Risk Factors” for more information on the Company’s cybersecurity-related risks. Governance The Audit Committee provides oversight of our cybersecurity risk management, as the security of athlete and teammate data continue to be Company-wide priorities. Our cybersecurity risk management is led by our CISO , an accomplished leader in cybersecurity capabilities and management of cybersecurity risk with over 25 years of experience who joined the Company in January 2025. The CISO reports to the Company’s Chief Technology Officer, who served as the interim CISO for a portion of fiscal 2024 following the departure of our then current CISO in October 2024, and directly reports to the Company’s Chief Executive Officer. The CISO provides quarterly (or more often, if necessary) updates to the Audit Committee and periodic updates to the full Board , regarding existing and new cybersecurity risks, including how management is mitigating those risks. The CISO and the broader cybersecurity team is responsible for detecting, containing, and responding to cybersecurity incidents as documented within the IR Plan.

Company Information