Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Feb. 01, 2026 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | We have an enterprise-wide information security program designed to assess, identify, and manage the Company’s information security risks and identify, protect, evaluate, respond to and resolve information security incidents. To protect our information systems from information security incidents, we use various processes and tools to identify, prevent, detect, escalate, investigate, resolve and recover from identified vulnerabilities and threats. These include, but are not limited to, reporting, monitoring and detection tools and services that are widely used in the industry, and internal solutions. We have an enterprise-wide Information Security Incident Response Plan (“IRP”), which describes the detailed processes and procedures that should be followed in the event of an information security incident. We conduct assessments based on the National Institute of Standards and Technology cybersecurity framework (the “NIST CSF”) to measure our progress under the maturity framework of NIST CSF and continue to identify opportunities for improvement in our information security program. We continuously assess technology risks and threats and monitor our information systems for potential vulnerabilities based on industry trends and evolving threats. We use our IRP to identify, protect, evaluate, respond to and resolve information security incidents. We conduct regular reviews of our information security program and also validate our IRP by conducting tabletop exercises, penetration and vulnerability testing, red team campaigns to identify potential vulnerabilities, simulations, and other exercises to evaluate the effectiveness of our information security program and improve our IRP. Our auditors perform independent audits on aspects of our information security program for assurance purposes. We occasionally engage third-party assessors to assess different aspects of our information security program. We conduct regular training for employees on different cybersecurity topics and best practices. We also conduct a risk-based analysis on third-party vendors that we engage to process personal data and confidential information for us and provide them with our information security requirements prior to their engagement. We are occasionally subject to cybersecurity incidents and we use our IRP to respond to such incidents. Our e-commerce systems are periodically the target of directed attacks intended to lead to interruptions and delays in our service and operations. We also occasionally experience the misuse or unauthorized disclosure of personal information, other data, confidential information or intellectual property. We occasionally experience incidents unrelated to our system where bad actors attempt to take over customer accounts by using the credentials of customers. These incidents have not had a material impact on us to date, including our business strategy, financial condition, or results of operations. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, financial condition, or results of operations. For more information about the cybersecurity risks we face, see the risk factor titled “Our failure or the failure of third-party service providers to protect our websites, networks, and systems against cybersecurity incidents, or to otherwise protect our confidential information, could damage our reputation and brand and harm our business, financial condition, and results of operations” under Item 1A “Risk Factors” of this Annual Report on Form 10-K.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | We have an enterprise-wide information security program designed to assess, identify, and manage the Company’s information security risks and identify, protect, evaluate, respond to and resolve information security incidents. To protect our information systems from information security incidents, we use various processes and tools to identify, prevent, detect, escalate, investigate, resolve and recover from identified vulnerabilities and threats. |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Our enterprise risk assessment includes our key cybersecurity risks. The Board oversees our annual enterprise risk assessment, where we assess key risks within the Company, including technology risks and cybersecurity threats. Our CISO provides quarterly updates to the Audit Committee of the Board, which oversees our cybersecurity risks and regularly reviews and discusses with management various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance; discussion on policies, guidelines, and processes used by management to assess and manage such matters; and the steps management has taken to monitor and control such matters.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Director of Information Security (the “CISO”) leads our information security organization and is responsible for managing our information security program. Our CISO brings more than 15 years of experience in cybersecurity leadership, including directing enterprise security programs and driving risk management strategies prior to joining Chewy. The information security team supporting our program hold deep expertise and relevant educational, industry, and professional credentials that align with our mission to protect Chewy’s technology, data, and customers. Our information security team provides regular reports to senior management and other relevant teams on various cybersecurity threats, assessments and findings. Our enterprise risk assessment includes our key cybersecurity risks. The Board oversees our annual enterprise risk assessment, where we assess key risks within the Company, including technology risks and cybersecurity threats. Our CISO provides quarterly updates to the Audit Committee of the Board, which oversees our cybersecurity risks and regularly reviews and discusses with management various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance; discussion on policies, guidelines, and processes used by management to assess and manage such matters; and the steps management has taken to monitor and control such matters.
|
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Board oversees our annual enterprise risk assessment, where we assess key risks within the Company, including technology risks and cybersecurity threats. Our CISO provides quarterly updates to the Audit Committee of the Board, which oversees our cybersecurity risks and regularly reviews and discusses with management various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance; discussion on policies, guidelines, and processes used by management to assess and manage such matters; and the steps management has taken to monitor and control such matters. |
| Cybersecurity Risk Role of Management [Text Block] | The Board oversees our annual enterprise risk assessment, where we assess key risks within the Company, including technology risks and cybersecurity threats. Our CISO provides quarterly updates to the Audit Committee of the Board, which oversees our cybersecurity risks and regularly reviews and discusses with management various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance; discussion on policies, guidelines, and processes used by management to assess and manage such matters; and the steps management has taken to monitor and control such matters. |
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | The Director of Information Security (the “CISO”) leads our information security organization and is responsible for managing our information security program. Our CISO brings more than 15 years of experience in cybersecurity leadership, including directing enterprise security programs and driving risk management strategies prior to joining Chewy. The information security team supporting our program hold deep expertise and relevant educational, industry, and professional credentials that align with our mission to protect Chewy’s technology, data, and customers. Our information security team provides regular reports to senior management and other relevant teams on various cybersecurity threats, assessments and findings. Our enterprise risk assessment includes our key cybersecurity risks. The Board oversees our annual enterprise risk assessment, where we assess key risks within the Company, including technology risks and cybersecurity threats. Our CISO provides quarterly updates to the Audit Committee of the Board, which oversees our cybersecurity risks and regularly reviews and discusses with management various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance; discussion on policies, guidelines, and processes used by management to assess and manage such matters; and the steps management has taken to monitor and control such matters.
|
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our CISO brings more than 15 years of experience in cybersecurity leadership, including directing enterprise security programs and driving risk management strategies prior to joining Chewy. The information security team supporting our program hold deep expertise and relevant educational, industry, and professional credentials that align with our mission to protect Chewy’s technology, data, and customers. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | Our CISO provides quarterly updates to the Audit Committee of the Board, which oversees our cybersecurity risks and regularly reviews and discusses with management various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance; discussion on policies, guidelines, and processes used by management to assess and manage such matters; and the steps management has taken to monitor and control such matters. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |