Item 1C. Cyberscurity
Set forth below is information regarding our cybersecurity risk management, strategy, and governance, along with a related description of our information security and data privacy practices.
Securing company systems, business information, and personal information of our guests, team members, vendors, and other third parties is important to us. We have systems in place to:
- safely receive, protect, and store that information;
- collect, use, and share that information appropriately; and
- detect, contain, and respond to information security, cybersecurity, and data privacy incidents.
While everyone at Target plays a part in information security, cybersecurity, and data privacy, oversight responsibility is shared by our Board of Directors, its committees, and management.
Responsible party | Oversight of information security, cybersecurity, and data privacy |
---|---|
Board of Directors | Oversight of these topics within Target's overall risks |
Audit & Risk Committee | Primary oversight responsibility for information security, cybersecurity, and data privacy, including internal controls designed to identify, assess, and manage risks related to these topics |
Management | Our Chief Information Officer, Chief Information Security Officer, Chief Legal & Compliance Officer, Chief Corporate Affairs Officer, and other senior members of our cybersecurity, risk, and compliance and ethics teams are responsible for identifying, assessing, and managing risks related to these topics, and reporting to the Audit & Risk Committee and/or the full Board of Directors |
Our program and practices regarding information security, cybersecurity, and data privacy include the following:
- Audit & Risk Committee and Board of Directors updates. To inform and educate the Audit & Risk Committee in its primary oversight responsibility for information security, cybersecurity, and data privacy, management provides updates on these topics. For example, the Chief Information Security Officer addresses information security risks and controls, cyber threats, and other program updates, and senior members of the risk team provide enterprise risk management program updates. In addition, the Board of Directors receives updates from management regarding Target’s overall risks, which include risks related to these topics.
- Integration into enterprise risk management program. By aligning the identification, assessment, and management of risks related to information security, cybersecurity, and data privacy with our overall approach to risk oversight by the Board of Directors, its committees, and management, we have integrated these practices into our enterprise risk management program.
- Management expertise. Our Chief Information Officer leads the strategic direction and management of Target’s enterprise technology systems. He is responsible for Target’s technology roadmap and oversees Target’s global product engineering, infrastructure, cybersecurity, data sciences, and architecture teams. He has held a variety of leadership roles across the company and has developed significant knowledge and skills regarding enterprise technology systems, including cybersecurity. Our Chief Information Security Officer has a strong background in technology, information security, cybersecurity, risk management, audit, and compliance and held executive roles in information security prior to joining Target. He continues to develop his expertise in these areas and contributes to the broader cybersecurity community by serving in several board and advisory roles and promoting collaboration, best practice sharing, and talent development. Our Chief Legal & Compliance Officer and Chief Corporate Affairs Officer have extensive experience, and have developed critical knowledge and skills, in the areas of risk oversight and compliance, including as such areas relate to cybersecurity.
- Systems and processes. We use a combination of industry-leading tools and in-house technologies to protect Target and our guests, operate a proactive threat intelligence program to identify and assess risks, including from threats associated with our use of third-party service providers, and we run a cyber fusion center to investigate and respond to threats. Our program is based on recognized industry security standards and control frameworks, which we seek to validate through internal and independent assessments. Our cybersecurity team regularly tests our controls through penetration testing, vulnerability scanning, and attack simulation. In addition, we have an incident response program to address potential security and privacy incidents. As part of this incident response program, members of management are informed about and monitor the prevention, detection, mitigation, and remediation of potential security and privacy incidents. The program uses a coordinated escalation model to provide information to, and engage with, relevant members of management and the Board of Directors, as needed, throughout the incident response process.
- Understanding evolving threats in the industry and with our suppliers. Our cybersecurity and data privacy teams work to understand evolving threats, developing issues, and industry trends, and our vendor teams monitor and assess risks with our suppliers.
- Collaboration with organizations across different industries. We share threat intelligence and collaborate with organizations across different industries to share best practices, fight cybercrime, enhance privacy, discuss new technologies, better understand the evolving regulatory environment, and advance capabilities in these areas.
- Investment, training, and development of our cybersecurity and data privacy teams. We invest in building and developing cybersecurity talent and engineering expertise in-house rather than relying solely on third-party providers. We also offer in-house training and educational courses through our Cyber Plus Institute, which is a security training curriculum leveraging internal subject matter expertise along with curated resources. Our data privacy team has industry certifications, works to understand changing technologies that impact consumer privacy, and regularly participates in training and conferences.
- Regular training and compliance activities for our team members. Our team members receive annual training on information security, cybersecurity, and data privacy topics to understand the behaviors and technical requirements necessary to protect company and guest information, and appropriately collect, use, and share personal information. We also offer ongoing practice and education for team members to recognize and report suspicious activity.
- Use of third parties. Beyond our in-house capabilities we engage with leading security and technology vendors to assess our information security and cybersecurity program and test our technical capabilities.
- Insurance coverage. We maintain insurance coverage intended to limit our exposure to certain network security and privacy matters.
See “Information Security, Cybersecurity, and Data Privacy Risks” in Part I, Item 1A, Risk Factors for additional information regarding risks from cybersecurity threats.