CRACKER BARREL OLD COUNTRY STORE, INC 10-K Cybersecurity GRC - 2024-09-27

Page last updated on October 1, 2024

CRACKER BARREL OLD COUNTRY STORE, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-27 10:29:16 EDT.

Filings

10-K filed on 2024-09-27

CRACKER BARREL OLD COUNTRY STORE, INC filed a 10-K at 2024-09-27 10:29:16 EDT
Accession Number: 0001558370-24-013061

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We are committed to securing and strengthening our information systems against cybersecurity threats and protecting the privacy and security of our customer, employee, and company data. However, as outlined in “Item 1A. Risk Factors - Risks Related to IT Systems, Cybersecurity and Data Privacy” of this Annual Report on Form 10-K, we are acutely aware that cybersecurity threats are a persistent concern in today’s digital world. Despite our investments in securing our information systems, we understand that cybersecurity incidents can still occur, potentially causing material harm to our brand, business, operations, and financial condition. In light of this, we have developed a cybersecurity risk management program to identify, assess, monitor and manage cybersecurity risk. Our Board of Directors oversees cybersecurity risk as part of its risk management function and has delegated oversight of cybersecurity risk to the Audit Committee. The Audit Committee oversees management’s implementation of our cybersecurity risk management program, including reviewing risk assessments from management and outside consultants regarding our information systems and procedures and overseeing our cybersecurity risk management processes. The Audit Committee receives quarterly reports from management on our cybersecurity risks and is updated on any cybersecurity incidents as necessary. The Audit Committee reports on cybersecurity matters to the full Board on a regular basis. Additionally, the full Board regularly receives presentations from management and third-parties on cybersecurity topics as part of the Board’s ongoing education on issues that affect public companies. As a critical component of our cybersecurity risk management program, we have strategically integrated cybersecurity risk management into our broader enterprise risk management function to cultivate a company-wide culture of cybersecurity risk management. Our program has been designed and evaluated based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). We use the NIST CSF as a guide to identify, assess, and manage cybersecurity risks relevant to our business. Additionally, given that we accept credit cards as a form of payment, we consider the requirements of the Payment Card Industry Data Security Standards (PCI DSS) as part of our cybersecurity risk management program. We place a high priority on cybersecurity within our organization. This includes regular cybersecurity training for employees, focusing on relevant risks to their job duties (e.g. social engineering, ransomware, denial of service, and other risks). As part of our cybersecurity risk management program, we conduct internal tests to identify potential vulnerabilities. Additionally, we organize annual tabletop exercises led by third-party consultants to enhance our readiness for different scenarios, assess our core information systems and cybersecurity practices, improve decision-making and prioritization, and promote monitoring and reporting across business functions. We annually engage third parties to perform cybersecurity audits to identify opportunities and enhancements to strengthen our policies and practices. We also annually engage an independent third party to perform internal and external penetration testing of our systems. As part of our overall cybersecurity risk management program, the Company maintains cyber insurance coverage, and we periodically meet with our insurer to discuss emerging trends in cybersecurity. While we believe our cyber insurance coverage provides commercially reasonable levels of coverage, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyberattacks and other related breaches. With respect to third-party service providers, our cybersecurity risk management program includes conducting due diligence of relevant service providers’ information security programs prior to onboarding, reassessing vendors using a risk-based approach, and performing off-boarding activities as relevant. We also customarily require our financially significant third-party service providers and those third parties with access to sensitive data to promptly notify us of any actual or suspected breach impacting our data or operations. Additionally, we perform a formal System and Organization Controls (“SOC”) review process annually on our financially significant third-party service providers. We continuously monitor cybersecurity risks and adjust our cybersecurity risk management program and practices as needed. As part of our program, we occasionally identify risks or threats to our systems, including ransomware and attempts to obtain team member credentials through both phishing attacks or social engineering. While these risks and threats require active and ongoing efforts to mitigate, we have not identified any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our operations, business strategy, or financial condition. Our Chief Information Officer (“CIO”) is directly responsible for the implementation of our cybersecurity risk management program. Our CIO is additionally primarily responsible for our overall information security, strategy, policy, security engineering, architecture, operations and cybersecurity threat detection and the management of cybersecurity risk. Our CIO has over 30 years of experience in the fields of finance, technology and cybersecurity, including relevant prior senior leadership positions held with Marriott International, where he served as Global Chief Information Officer. The CIO meets with our Chief Executive Officer (“CEO”) on a weekly basis and regularly reports to our senior management, as well as directly to our Board of Directors and the Audit Committee, regarding our cybersecurity risk and risk management. As a part of our cybersecurity risk management program, our cybersecurity team meets regularly to monitor the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents. In the event of a cybersecurity incident, we have a Cyber Incident Response Plan (“CIRP”) that governs our immediate response, including detection, escalation, assessment, management, and remediation. As part of the CIRP response, the cybersecurity team will coordinate with external advisors and other senior management as needed. The cybersecurity team routinely tests the CIRP across the organization to validate the procedures for appropriately escalating potentially material cybersecurity risks and incidents. In the event of a cybersecurity incident, senior management, including our General Counsel, CIO, and Chief Financial Officer (“CFO”), are tasked with conducting an assessment of the incident. This assessment involves evaluating relevant quantitative and qualitative factors as well as considering SEC guidance. Depending on the assessment results, the cybersecurity event may be escalated to involve our CEO, Board of Directors, and law enforcement. Additionally, the Board of Directors in consultation with senior management will decide, based on the assessment, whether the cybersecurity incident requires disclosure in a filing with the SEC.

Company Information