Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
Risk Management and Strategy
We are committed to protecting the security and integrity of our systems, networks, databases, and applications. To this end, we have implemented a comprehensive cybersecurity program designed to prevent, assess, identify, and manage material risks associated with cybersecurity threats.
Our cybersecurity risk management program is aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and we are fully compliant with PCI-DSS V4 (Payment Card Industry Data Security Standard) across all markets in which we operate. Cybersecurity risks are assessed as part of our broader enterprise risk management program, ensuring that cyber risk is integrated into our overall risk posture.
We employ a global and multidisciplinary approach to cybersecurity risk management, engaging our information security, legal, and management teams, as well as third-party experts. Our processes for identifying and assessing cybersecurity threats include continuous network monitoring, intrusion detection, vulnerability assessments, penetration testing, threat intelligence, employee awareness training, phishing simulations, endpoint detection and response, and third-party security reviews.
To mitigate material risks, we maintain a comprehensive suite of technical, physical, and organizational controls. These encompass managed endpoint detection and response, incident detection and response, vulnerability management, disaster recovery and business continuity planning, internal controls, data encryption, network and access controls, physical security, asset management, system monitoring, and vendor risk management. Cybersecurity awareness training is provided to all employees and our Board of Directors annually.
We have established a formal incident response framework to ensure the timely identification, resolution, and reporting of cybersecurity incidents in accordance with applicable requirements. We rehearse our incident response plan at least annually via tabletop exercises devised and facilitated by outside experts.
We utilize third-party service providers for certain operational functions and have implemented a third-party risk management program to evaluate and monitor the cybersecurity practices of vendors with access to our systems or data. We also consult with external advisors to stay informed of emerging risks, defense strategies, and governance best practices.
As of the date of this Annual Report on Form 10-K, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition.
For additional information on our cybersecurity risks, see “Risks Related to Technology and Information Security.” in Item 1A. of this Annual Report on Form 10-K.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] |
We are committed to protecting the security and integrity of our systems, networks, databases, and applications. To this end, we have implemented a comprehensive cybersecurity program designed to prevent, assess, identify, and manage material risks associated with cybersecurity threats.
Our cybersecurity risk management program is aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and we are fully compliant with PCI-DSS V4 (Payment Card Industry Data Security Standard) across all markets in which we operate. Cybersecurity risks are assessed as part of our broader enterprise risk management program, ensuring that cyber risk is integrated into our overall risk posture.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] |
Governance
Role of the Board of Directors
Our Board of Directors has overall responsibility for risk oversight and has delegated to the audit committee primary enterprise risk oversight responsibility, including privacy and cybersecurity risk exposures, policies and practices, the steps management takes to detect, monitor and mitigate such risks and the potential impact of those exposures on our business, financial results, operations and reputation. The audit committee receives quarterly updates on the enterprise risk management program, including cybersecurity risks and the initiatives undertaken to identify, assess and mitigate such risks. This cybersecurity reporting may include threat and incident reporting, vulnerability detection reporting, risk mitigation metrics, systems and security operations updates, employee education initiatives, and internal audit observations, if applicable.
In addition to the efforts undertaken by the audit committee, the full Board of Directors regularly reviews matters relating to cybersecurity risk and cybersecurity risk management. Any material cybersecurity events would be brought to the attention of the full Board of Directors once the event is deemed material. Our incident response framework provides a formal mechanism for informing management and the Board of Directors, and for monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents
Role of Management
QVC’s VP Information Security (reporting into the Chief Information Officer) is responsible for day-to-day management and oversight of QVCG’s cybersecurity program, including assessing, monitoring and mitigating cybersecurity risk.
Our Executive Leadership Team which includes executives representing our Legal, Accounting, Internal Audit and Risk Management, IT and Facilities departments receive at least quarterly cybersecurity updates from the VP Information Security and provides management oversight for the cybersecurity program at QVC Group.
In addition to real time notification of privacy and security incidents, we hold a bi-monthly meeting to discuss incidents, incident trends, developments in laws and regulations, and other privacy and cybersecurity hot topics, as applicable. QVC’s incident response team (including representatives from cybersecurity, legal/privacy, communications, and operations/physical security) meets on a bi-monthly basis to discuss incidents, incident trends, developments in laws and regulations, and other privacy and cybersecurity hot topics, as applicable. In addition, QVC’s cybersecurity team and legal/privacy teams meet on a monthly basis to discuss and review existing threats to QVC’s systems and data and to review past events.
Our management team’s experience includes a diverse background in telecom, retail and other industries, with decades of experience in various aspects of technology and cybersecurity. Our VP Information Security has more than 30 years of IT experience and holds multiple certifications, including Certified Information Security System Professional and Certified Information Security Manager. Our management team has worked at a variety of companies, including large publicly traded companies, implementing and managing IT and cybersecurity programs and teams, developing tools and processes to protect internal networks, business applications, customer facing applications and customer payment systems.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] |
QVC’s VP Information Security (reporting into the Chief Information Officer) is responsible for day-to-day management and oversight of QVCG’s cybersecurity program, including assessing, monitoring and mitigating cybersecurity risk.
|
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] |
QVC’s VP Information Security (reporting into the Chief Information Officer) is responsible for day-to-day management and oversight of QVCG’s cybersecurity program, including assessing, monitoring and mitigating cybersecurity risk.
Our Executive Leadership Team which includes executives representing our Legal, Accounting, Internal Audit and Risk Management, IT and Facilities departments receive at least quarterly cybersecurity updates from the VP Information Security and provides management oversight for the cybersecurity program at QVC Group.
In addition to real time notification of privacy and security incidents, we hold a bi-monthly meeting to discuss incidents, incident trends, developments in laws and regulations, and other privacy and cybersecurity hot topics, as applicable. QVC’s incident response team (including representatives from cybersecurity, legal/privacy, communications, and operations/physical security) meets on a bi-monthly basis to discuss incidents, incident trends, developments in laws and regulations, and other privacy and cybersecurity hot topics, as applicable. In addition, QVC’s cybersecurity team and legal/privacy teams meet on a monthly basis to discuss and review existing threats to QVC’s systems and data and to review past events.
|
| Cybersecurity Risk Role of Management [Text Block] |
QVC’s VP Information Security (reporting into the Chief Information Officer) is responsible for day-to-day management and oversight of QVCG’s cybersecurity program, including assessing, monitoring and mitigating cybersecurity risk.
Our Executive Leadership Team which includes executives representing our Legal, Accounting, Internal Audit and Risk Management, IT and Facilities departments receive at least quarterly cybersecurity updates from the VP Information Security and provides management oversight for the cybersecurity program at QVC Group.
In addition to real time notification of privacy and security incidents, we hold a bi-monthly meeting to discuss incidents, incident trends, developments in laws and regulations, and other privacy and cybersecurity hot topics, as applicable. QVC’s incident response team (including representatives from cybersecurity, legal/privacy, communications, and operations/physical security) meets on a bi-monthly basis to discuss incidents, incident trends, developments in laws and regulations, and other privacy and cybersecurity hot topics, as applicable. In addition, QVC’s cybersecurity team and legal/privacy teams meet on a monthly basis to discuss and review existing threats to QVC’s systems and data and to review past events.
Our management team’s experience includes a diverse background in telecom, retail and other industries, with decades of experience in various aspects of technology and cybersecurity. Our VP Information Security has more than 30 years of IT experience and holds multiple certifications, including Certified Information Security System Professional and Certified Information Security Manager. Our management team has worked at a variety of companies, including large publicly traded companies, implementing and managing IT and cybersecurity programs and teams, developing tools and processes to protect internal networks, business applications, customer facing applications and customer payment systems.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | QVC’s incident response team (including representatives from cybersecurity, legal/privacy, communications, and operations/physical security) meets on a bi-monthly basis to discuss incidents, incident trends, developments in laws and regulations, and other privacy and cybersecurity hot topics, as applicable. In addition, QVC’s cybersecurity team and legal/privacy teams meet on a monthly basis to discuss and review existing threats to QVC’s systems and data and to review past events. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our VP Information Security has more than 30 years of IT experience and holds multiple certifications, including Certified Information Security System Professional and Certified Information Security Manager. Our management team has worked at a variety of companies, including large publicly traded companies, implementing and managing IT and cybersecurity programs and teams, developing tools and processes to protect internal networks, business applications, customer facing applications and customer payment systems |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | Our Board of Directors has overall responsibility for risk oversight and has delegated to the audit committee primary enterprise risk oversight responsibility, including privacy and cybersecurity risk exposures, policies and practices, the steps management takes to detect, monitor and mitigate such risks and the potential impact of those exposures on our business, financial results, operations and reputation. The audit committee receives quarterly updates on the enterprise risk management program, including cybersecurity risks and the initiatives undertaken to identify, assess and mitigate such risks. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |