Table of Contents
Any of these circumstances could impair our ability to meet customer demand for products and result in lost sales, increased supply chain costs,
or damage to our reputation, any of which could negatively impact our business performance or financial condition.
Failure to maintain a safe and secure store environment may adversely impact sales, costs, the customer and associate experience, or
our brand and reputation.
Our customers and associates expect a safe store environment in which to shop and work, and maintaining that environment helps protect
against loss or theft of our inventory (also called “shrink”). Like other retailers, we have seen an increase in shrink in recent years, particularly as
a result of organized retail crime. While we have a number of initiatives underway to address shrink, minimize theft, and maintain safety in and
around our stores, these efforts require operational changes that may increase costs and reduce margins, and they may negatively impact the
customer experience. Furthermore, an unsafe environment or negative incidents in or around our stores may erode trust and confidence with
customers, associates, or potential associates, which can adversely impact sales, associate morale and retention, and our brand and reputation.
If our efforts to maintain the privacy and security of customer, associate, job applicant, business partner, and Company information
are not successful, we could incur substantial costs and reputational damage and could become subject to litigation and enforcement
actions.
Our business, like that of most retailers, involves the collection, use, retention, management, transmission, and deletion of personal information
(including identifiers, localization, internet activity, preferences, and payment information) from our customers, associates, job applicants, and
business partners, as well as confidential Company information. We also work with third-party service providers that provide technology, systems
and services that we use in connection with the handling of information. Our information systems, and those of our third-party service providers,
are vulnerable to continually evolving data protection and cybersecurity risks. Unauthorized parties have in the past gained access, and will
continue to attempt to gain access, to these systems and data through fraud or other means of deceiving or coercing our associates or third-
party service providers, which could jeopardize the confidentiality, integrity, or availability of such information systems or our information.
Hardware, software or applications we develop or obtain from third parties may contain exploitable vulnerabilities, bugs, or defects in design,
maintenance or manufacture or other problems that could unexpectedly compromise information security. We have experienced and continue to
face the ongoing risk of exploitation of our software providers and our software development and implementation process, including from coding
and process vulnerabilities and the installation of so-called back doors that provide unauthorized access to systems and data. The increased use
of a remote workforce has also expanded the possible attack surface areas. In addition, the risk of cyber-attacks has increased in connection
with geopolitical conflicts and ongoing trade and diplomatic tensions. In light of the conflicts in Europe and the Middle East and other geopolitical
events, nation-state actors or their supporters may launch retaliatory cyber-attacks, and may attempt to cause supply chain and other third-party
service provider disruptions, or take other geopolitically-motivated retaliatory actions that may disrupt our business operations, result in data
compromise, or both. Nation-state actors have in the past carried out, and may in the future carry out, cyber-attacks to achieve their aims and
goals, which may include espionage, monetary gain, disruption, and destruction. To achieve their objectives, nation-state actors and other cyber
criminals have used and may continue to use numerous attack vectors and methods, including use of stolen passwords, social engineering,
phishing, smishing, vishing, identity spoofing, ransomware or other disruptive and destructive malware, supply chain compromises, and man-in-
the-middle and denial of service attacks. The methods used to obtain unauthorized access, disable or degrade service, or sabotage systems are
constantly changing and evolving, increasing in frequency and sophistication, and may be difficult to anticipate or detect for long periods of time.
The ever-evolving cybersecurity threat landscape means that we and our third-party service providers and business partners must continually
evaluate and adapt our respective systems and processes and overall security environment, as well as those of companies we or they acquire.
There is no guarantee that the measures we take will be adequate to safeguard against all threats, including vulnerabilities, data security
breaches, system compromises or misuses of data. As we have experienced in the past, any significant compromise or breach of our data
security, whether external or internal, or misuse of customer, associate, job applicant, business partner, or Company data, could result in
significant costs, including costs to investigate and remediate, as well as lost sales, fines, lawsuits, regulatory investigations, and damage to our
reputation. Because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and
may not immediately produce signs of anomalous activity or compromise, we may be unable to anticipate these techniques or to implement
adequate preventative measures. Additionally, as we have experienced in the past, we or our third-party service providers may not discover any
security breach, vulnerability or compromise of information for a significant period of time after the occurrence of a security incident.
Furthermore, our cyber insurance coverage may not be
Fiscal 2023 Form 10-K 16