DARDEN RESTAURANTS INC 10-K Cybersecurity GRC - 2024-07-19

Page last updated on July 19, 2024

DARDEN RESTAURANTS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-07-19 16:20:34 EDT.

Filings

10-K filed on 2024-07-19

DARDEN RESTAURANTS INC filed a 10-K at 2024-07-19 16:20:34 EDT
Accession Number: 0000940944-24-000035

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have implemented policies and procedures intended to manage and reduce cybersecurity risk that are integrated with the Enterprise Risk Management (“ERM”) framework utilized by management and the Audit Committee to oversee our various top enterprise risks. We maintain an incident response plan that is designed to protect against, identify, evaluate, respond to and recover from a cybersecurity related incident. The plan provides for the creation of an incident response team in the event of an incident and it is designed to be flexible enough to accommodate a broad array of potential scenarios. The incident response team is a cross-functional group that may be composed of both Company personnel and external service providers, and that is tailored to a particular incident so that individuals with appropriate experience and expertise are available. We conduct regular exercises to help ensure the plan’s effectiveness and our overall response preparedness. We have also invested in various tools to protect our data and information technology. We maintain a robust system of data protection and cybersecurity resources, technology and processes, and we regularly evaluate new and emerging risks and ever-changing legal and compliance requirements. We make ongoing strategic investments to address these risks and compliance requirements and help keep Company, guest and team member data secure. We monitor risks of sensitive information compromise at our business partners, where relevant, and reevaluate these risks on a periodic basis. In addition, we have a cybersecurity training program designed to educate and train employees how to identify and report cybersecurity threats. Training programs are conducted on a periodic basis and are focused on giving employees the awareness and tools to manage the most relevant and prevalent cybersecurity risks to us. We also provide specialized training for employees in more sensitive roles. For example, we perform annual and ongoing cybersecurity awareness training for our restaurant management and restaurant support center team members. In addition, we provide annual credit card handling training following Payment Card Industry (PCI) guidelines to all team members that handle guest credit cards. We conduct regular drills, such as tabletop exercises led by third party consultants, to support our overall preparedness for a variety of scenarios. We take measures to regularly update and improve our cybersecurity program, including conducting independent program assessments, penetration testing and scanning of our systems for vulnerabilities. We periodically engage third parties to perform cybersecurity audits to measure the maturity of our cybersecurity program against the National Institute of Standards and 25 Technology (NIST) Framework. We also engage third parties to conduct security reviews of our network, processes and systems on a regular basis to identify opportunities and enhancements to strengthen our policies and practices. With respect to third-party service providers, our information security program includes conducting due diligence of relevant service providers’ information security programs prior to onboarding and we continue to reassess vendors using a risk-based approach. We also contractually require third-party service providers with access to our information technology systems, sensitive business data or personal information to implement and maintain appropriate security controls and contractually restrict their ability to use our data, including personal information, for purposes other than to provide services to us, except as required by law. To oversee the risks associated with these service providers, we work with them to help ensure that their cybersecurity protocols are appropriate to the risk presented by their access to or use of our systems and/or data, including notification and coordination concerning incidents occurring on third-party systems that may affect us. Our service providers are contractually required to notify us promptly of information security incidents occurring on their systems that may affect our systems or data, including personal information. Although we have invested in the protection of our data and information technology and monitor our systems on an ongoing basis, there can be no assurance that such efforts will prevent material compromises to our information technology systems in the future that could have a material adverse effect on our business. As of the date of this filing, we are not aware of any current cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business, results of operations or financial condition. For further discussion of the risks related to cybersecurity, see the risk factors discussed under “Information Technology and Cybersecurity” in our Risk Factors in Item 1A of this Form 10-K. Governance Our Board of Directors has ultimate risk oversight responsibility for the Company and administers this responsibility both directly and with assistance from its committees. Each of the committees periodically reports to the Board of Directors on its specific risk oversight activities. The Audit Committee, comprised solely of independent directors, oversees our overall ERM program and assists the Board of Directors in fulfilling its oversight responsibility with respect to our information security and technology risks (including cybersecurity), all of which are fully integrated into our ERM program. The Audit Committee actively reviews and discusses our information security and technology risk management programs and regularly reports out to the full Board of Directors on our relevant strengths and opportunities. Our cybersecurity program is led by our Chief Information Officer (CIO), who is responsible for identifying, assessing and managing our collective information security and technology risks. Our current CIO has served in that role since 2016 and has more than 20 years of experience in the information security and technology fields. Our CIO holds both bachelor’s and master’s degrees in Electrical Engineering from the Massachusetts Institute of Technology. The CIO meets regularly with leaders of our various information technology management teams to review and discuss our cybersecurity and other information technology risks and opportunities. Our global incident response plan sets forth a detailed security incident management and reporting protocol, with escalation timelines and responsibilities. The Audit Committee receives periodic updates from the CIO, the director of our cybersecurity team and a senior attorney, the three most senior leaders with responsibility for oversight of our key cybersecurity program components. These updates include matters such as ongoing changes in our external and internal cybersecurity threat landscape, new technology trends and regulatory developments, evolving internal policies and practices used to manage and mitigate cybersecurity and technology-related risks, and trends in various metrics that are used to help assess our overall cybersecurity program effectiveness. Our CIO also provides updates to the full Board of Directors on such topics at least annually. 26

Company Information