BRINKER INTERNATIONAL, INC 10-K Cybersecurity GRC - 2024-08-21

Page last updated on August 22, 2024

BRINKER INTERNATIONAL, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-21 16:39:58 EDT.

Filings

10-K filed on 2024-08-21

BRINKER INTERNATIONAL, INC filed a 10-K at 2024-08-21 16:39:58 EDT
Accession Number: 0000703351-24-000030

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company takes a risk-based, proactive approach to its management of cybersecurity threats inherent in our business. Our existing cybersecurity policy includes ongoing monitoring and detection programs, network security precautions, encryption of certain critical data, in depth security assessment of vendors and incident response guidelines. We continue to invest and improve in the protection of systems, sensitive data, technology, and processes using third-party and in-house tools and resources. We remain vigilant in staying ahead of new and emerging risks utilizing our in-house tools, and security teams review and make strategic investments in our systems to keep the Company, our guests and our team members’ data secure. The Company’s Vice President of Information Technology and Security is responsible for developing and implementing these controls and processes. We subscribe to multiple feeds and associations that discuss and monitor risks of any technology compromise at our business partners where relevant. Relevant restaurant level personnel and employees at the restaurant support center receive periodic training to bring awareness on how they can help prevent and report potential cybersecurity incidents. We also provide credit card handling training following Payment Card Industry guidelines to team members that handle guest payment information. In addition, key stakeholders involved with our cybersecurity risk management programs receive additional training and regularly participate in scenario-based training exercises to support the effective implementation of our programs. We maintain a disaster recovery plan and protect against business interruption by backing up our major systems. We routinely scan our environment for any vulnerabilities and perform penetration testing. In addition to our internal processes and controls, we engage multiple third parties to assess the effectiveness of our data security practices, including through an annual risk assessment. We conduct annual cybersecurity audits using a reputable third-party security auditor. A third-party conducts regular network security reviews, scans and audits. We require third-party vendors and service providers to complete a security questionnaire or provide a security compliance report performed by a reputable third-party to assess their risk. We maintain a Risk Register documenting identified risks, including those from cybersecurity threats, their potential impact, and mitigation strategies. Through our internal audit function, we also perform an annual risk analysis using a risk matrix to prioritize risks based on their potential impact and likelihood. There can be no guarantee that our policies and procedures will be effective. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate risks. See Item 1A - Risk Factors for additional discussion of our cybersecurity risks. We believe that risks from prior cybersecurity threats, including as a result of any previous cybersecurity incident, including the 2018 malware incident, have not materially affected our results of operations or financial condition, including our business strategy, for the periods covered by this Annual Report on Form 10-K, and we do not believe that such risks are reasonably likely to have such an effect over the long term. Governance The Company’s cybersecurity risk management processes are integrated into the Company’s overall risk management processes and managed by a cross-functional team, comprised of IT leadership, Internal Audit and Legal. Our IT leadership team is comprised of our Chief Information Officer and Vice President of Information Technology and Security, each with over two decades of experience in information technology and cybersecurity. Our processes are designed to create a comprehensive, cross-functional approach to identify and mitigate cybersecurity risks as well as to prevent cybersecurity incidents in an effort to support business continuity and achieve operational resiliency. The Audit Committee of the Board of Directors has overall oversight responsibility for data security practices and controls to monitor and mitigate the Company’s technology risk exposure. IT leadership, along with Internal Audit and our Legal teams, receive reports on present cybersecurity threats from a number of experienced information security specialists or other relevant parties responsible for various parts of the business on an ongoing basis. Management, including the Vice President of Information Technology and Security and Chief Information Officer, reports quarterly, or more frequently if needed, to the Board of Directors, including the Audit Committee, on the effectiveness of our cybersecurity and data protection practices. The Audit Committee reviews the findings of the Company’s annual risk assessment and penetration test. Further, our Board members also engage in ad hoc conversations with management on cybersecurity-related news events, receive training specific to cybersecurity risks and threats and regularly discuss any updates to our cybersecurity risk management and strategy programs. The Company’s incident response team is comprised of leaders from our information security team, risk, legal and audit departments. We have established and regularly test incident response processes and controls that identify and risk-rank incidents through a centralized system to promote timely escalation of cybersecurity incidents that exceed a particular level of risk. Incidents of sufficient magnitude or severity are escalated to the appropriate Company officers.

Company Information