We recognize the importance of protecting customer and associate data and maintaining the safety, availability, security, and integrity of our data and information systems, some of which are provided or managed by third parties. We continue to invest in people, technology, and processes to protect data and systems against evolving cybersecurity threats. We have implemented a cybersecurity program that we believe is reasonably designed to manage risks from cybersecurity threats, including those that may result in adverse effects on the confidentiality, integrity, and availability of our information systems, and impact the security of information we create, maintain, and process on our information systems. Our program is designed to enable us to prevent, monitor, identify, detect, investigate, respond to, mitigate, and report on cybersecurity threats and incidents.

Risk Management and Strategy

The Company’s cybersecurity program is based on recognized frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization, and other applicable industry standards and applies, as appropriate, to the Company’s internal and external information systems, applications, networks, and operations. The Company’s cybersecurity program is focused on the following key areas:

Technical Safeguards. Our cybersecurity team constantly and proactively monitors our network and application landscape for threats and anomalies. The cybersecurity team deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. We maintain a software vulnerability management program supported by internal personnel and third-party service providers. We deploy technologies to automate and enhance our operational security capabilities. We also use third-party managed security services to augment our cybersecurity team’s capabilities.

Incident Response Plan. The Company has established and maintains a comprehensive incident response plan that addresses the Company’s response to a cybersecurity incident. The plan provides a coordinated approach to investigating, containing, mitigating, and documenting cybersecurity incidents, including reporting and escalating findings as appropriate (including to the Company’s crisis management team).

Third-Party Risk Management. The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers, and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Our partners and vendors with whom we share information to conduct our business are required to safeguard it by appropriate means, including elevated contractual commitments when appropriate.

Risk Assessments. We conduct scanning, testing, and assessments designed to identify risks from cybersecurity threats, assess controls, and calibrate planning in response to rapidly evolving cybersecurity risks, and use the results from this testing to adjust our cybersecurity program roadmap to mitigate cybersecurity risks as they evolve. We assess ourselves against industry standard cybersecurity and risk management frameworks to measure the effectiveness of our technology controls and financial reporting controls. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits, and independent reviews of our information security control environment and operating effectiveness, including network penetration assessments. The Company adjusts its cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, audits, and reviews.

Internal Audits. Our internal audit team performs audits on various aspects of cybersecurity and reports the results of these audits in its quarterly reports to management and the Audit Committee (the “Audit Committee”)

of our Board of Directors (the “Board”). The internal audits assess the sufficiency of security processes and controls for relevant systems. Leaders from our risk management, internal audit, and legal teams administer our enterprise risk management (“ERM”) program, which is designed to identify, assess, and manage our top enterprise risks, including risks arising from cybersecurity threats.

Training. All Ulta Beauty associates have a role as stewards of Company data, and we educate them on how to keep data safe. As part of the Company’s onboarding and annual security awareness training and regular training around phishing, we train associates on how to keep devices and data safe in public places; how to avoid security threats and phishing scams; how to maintain a secure workplace; and everyday practices that help maintain the security of corporate digital devices, data, and systems. In addition, we require vendors and contractors that supply or support our information systems to undergo onboarding and training regarding good information and data security hygiene.

Based on the information available to us as of the date of this Annual Report, we believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations, or financial condition, and as of the date of this Annual Report, we are not aware of any material risks from cybersecurity threats that are reasonably likely to do so. However, we cannot eliminate all risks from cybersecurity threats or provide assurances that the Company will not be materially affected by such risks in the future. Due to evolving cybersecurity threats, despite our security measures, we may not be able to anticipate, prevent, and stop future cybersecurity incidents, including attacks on our information systems and data and those of our partners. Also see “Information Security, Cybersecurity, Data Privacy, Regulatory, and Legal Risks” included as part of Item 1A. Risk Factors of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein.

The Company’s cybersecurity program is based on recognized frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization, and other applicable industry standards and applies, as appropriate, to the Company’s internal and external information systems, applications, networks, and operations. The Company’s cybersecurity program is focused on the following key areas:

Technical Safeguards. Our cybersecurity team constantly and proactively monitors our network and application landscape for threats and anomalies. The cybersecurity team deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. We maintain a software vulnerability management program supported by internal personnel and third-party service providers. We deploy technologies to automate and enhance our operational security capabilities. We also use third-party managed security services to augment our cybersecurity team’s capabilities.

Incident Response Plan. The Company has established and maintains a comprehensive incident response plan that addresses the Company’s response to a cybersecurity incident. The plan provides a coordinated approach to investigating, containing, mitigating, and documenting cybersecurity incidents, including reporting and escalating findings as appropriate (including to the Company’s crisis management team).

Third-Party Risk Management. The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers, and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Our partners and vendors with whom we share information to conduct our business are required to safeguard it by appropriate means, including elevated contractual commitments when appropriate.

Risk Assessments. We conduct scanning, testing, and assessments designed to identify risks from cybersecurity threats, assess controls, and calibrate planning in response to rapidly evolving cybersecurity risks, and use the results from this testing to adjust our cybersecurity program roadmap to mitigate cybersecurity risks as they evolve. We assess ourselves against industry standard cybersecurity and risk management frameworks to measure the effectiveness of our technology controls and financial reporting controls. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits, and independent reviews of our information security control environment and operating effectiveness, including network penetration assessments. The Company adjusts its cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, audits, and reviews.

Internal Audits. Our internal audit team performs audits on various aspects of cybersecurity and reports the results of these audits in its quarterly reports to management and the Audit Committee (the “Audit Committee”)

of our Board of Directors (the “Board”). The internal audits assess the sufficiency of security processes and controls for relevant systems. Leaders from our risk management, internal audit, and legal teams administer our enterprise risk management (“ERM”) program, which is designed to identify, assess, and manage our top enterprise risks, including risks arising from cybersecurity threats.

Training. All Ulta Beauty associates have a role as stewards of Company data, and we educate them on how to keep data safe. As part of the Company’s onboarding and annual security awareness training and regular training around phishing, we train associates on how to keep devices and data safe in public places; how to avoid security threats and phishing scams; how to maintain a secure workplace; and everyday practices that help maintain the security of corporate digital devices, data, and systems. In addition, we require vendors and contractors that supply or support our information systems to undergo onboarding and training regarding good information and data security hygiene.

The Company has adopted a cross-functional and multi-management level approach to assessing and managing risks arising from cybersecurity threats. While management is responsible for the Company’s day-to-day risk management activities and processes, the Board is ultimately responsible for providing informed oversight of all risks relevant to the Company’s operations, including cybersecurity risk. The Audit Committee oversees the ERM program and is also responsible for the oversight of cybersecurity and other technology-related risks, which the ERM process has identified as key risks. Cybersecurity is a standing agenda item of the Audit Committee’s regular quarterly meetings, where the Audit Committee reviews and discusses cybersecurity risks along with the Company’s cybersecurity programs and strategy with management. The Company’s Chief Technology and Transformation Officer (“CTTO”) and his cybersecurity leadership team, together with the Chief Legal Officer (“CLO”), provide regular updates regarding cybersecurity and privacy topics to the Board and the Audit Committee throughout the year, addressing a wide range of topics, including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, board education, and information security considerations arising with respect to the Company’s peers and third parties. From time to time between quarterly meetings, our CTTO and CLO or other members of management may hold additional cybersecurity-related discussions with the Audit Committee. The Audit Committee regularly reports on its cybersecurity program oversight to the Board. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds as well as ongoing updates regarding any such incident until it has been addressed.