Aramark 10-K Cybersecurity GRC - 2024-11-19

Page last updated on November 19, 2024

Aramark reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-19 16:21:43 EST.

Filings

10-K filed on 2024-11-19

Aramark filed a 10-K at 2024-11-19 16:21:43 EST
Accession Number: 0001584509-24-000212

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The secure collection, maintenance, processing and transmission of financial and operational data, ordering, point-of-sale processing and payment information, including personal data, is critical to our operations and the experience of our customers. We have implemented technologies and tools to evaluate our cybersecurity measures and maintain a cyber-risk management strategy related to our technology infrastructure that includes monitoring emerging cybersecurity threats and assessing appropriate responsive measures. Risk Management and Strategy Risk Identification We employ a risk-based approach for our cybersecurity program in which the level of controls are based upon asset value and organizational risk. Consequently, our cybersecurity program has a layered approach to cyber controls focused on protection of the confidentiality, integrity, and availability of sensitive data (both internal and third party). Our CISO and cybersecurity organization are actively engaged within the cybersecurity threat intelligence community in order to monitor emerging trends and developments, attack vectors, and best practices for identifying and mitigating cyber threats. Risk Assessment Our cybersecurity team monitors the cyber risk climate on an ongoing basis and performs cyber risk assessments at both tactical and strategic levels that are integrated into our overall risk management processes. These risk assessments may review various issues such as Payment Card Industry Data Security Standard compliance and cyber vulnerability on an enterprise and application level. Risk Management We have a global information security program responsible for creating cybersecurity policies, including an overarching Global Information Security Policy, that takes in account the National Institute of Standards & Technology Cybersecurity Framework (“NIST CSF”) and regulatory requirements. Our CISO is responsible for oversight of the cybersecurity program, supervision of the members of the team, and implementation of our layered cybersecurity measures, which include a documented security architecture program, endpoint detection, security incident response and event management and recovery, and privileged access management, among others. Likewise, logical access controls are employed to manage and provision access based upon business need, and data encryption is leveraged to preserve data confidentiality. Data is regularly backed up in support of preserving availability. Audit logs are collected, correlated and analyzed by the Security Operations Center (“SOC”). We provide all salaried employees, including new hires, cybersecurity training courses that sensitize them to risks and threat actor tactics. We also provide specialized security and data privacy training for certain employees, such as those handling sensitive or protected health information. On a quarterly basis, our cybersecurity organization conducts simulated phishing exercises to test and educate employees on real-world threats. We engage third-party service providers as part of our cyber risk mitigation efforts. We contractually require vendors with access to personal information to maintain sufficient cybersecurity and data privacy standards. As part of our PCI compliance program, we assess vendors with access to payment card data on an annual basis, and we review other critical vendors periodically and on an as-needed basis. We also maintain relations with local and federal law enforcement in connection with cybersecurity matters. In fiscal 2024, we engaged an independent cybersecurity advisory firm to lead a cybersecurity crisis simulation exercise that has been used by our senior leaders to prepare for a possible cyber crisis. In addition, we engaged an international cybersecurity company, specializing in IT services and software development, to augment our monitoring, incident response, detection, and forensics efforts; various Information Sharing and Analysis Centers (ISACs) for threat intelligence, and a recognized cyber defense company that specializes in threat intelligence and incident response services. We purchase insurance to mitigate the potential financial consequences of cybersecurity incidents. We regularly review our cyber insurance program, assessing our coverage and policy terms. During the normal course of business, we have experienced and expect to continue to experience a range of cyber-based attacks and other attempts to compromise our information systems, although none, to our knowledge, has had a material adverse effect on our business, financial condition, or results of operations. For additional information about cybersecurity risks, see Item 1A. “Risk Factors.” Governance Role of the Board Our Board of Directors has delegated primary responsibility for the oversight of cybersecurity to the Audit Committee, which reviews and oversees our programs, policies, practices and safeguards relating to: information technology, data privacy and protection, cybersecurity and fraud, identification, assessment, monitoring, mitigation and the overall management of those risks, and our cyberattack incident response and recovery plan. The Audit Committee receives regular reports from our Chief Information Officer (CIO) and CISO on, among other things, our cyber risks and threats, the status of measures to strengthen our cybersecurity systems, assessments of our Cybersecurity program, and our views of the emerging threat landscape. During fiscal 2024, substantially all of our directors attended the Audit Committee meetings in which the Committee received updates relating to cybersecurity. Role of Management Our CISO, who reports directly to our CIO, is responsible for the day-to-day management of the Cybersecurity program and mitigation of cybersecurity risks, and supervises our SOC. Our CISO sets our cybersecurity strategy, oversees relevant policies, and manages the risk, assurance, and internal security reporting processes. Our CISO also oversees the Cybersecurity Incident Response Team (“CSIRT”), which receives updates regarding and conducts initial evaluations of critical and emerging risks and reports on such risks to senior management, as necessary. We utilize a security incident response framework that is led by our CISO and supported by the CSIRT with the goal of both ensuring timely notification to our management and the Audit Committee, or the Board of Directors as appropriate, and mitigation of cybersecurity incidents. Our CISO also sits on our Disclosure Committee. Our CISO brings over twenty years of extensive cybersecurity expertise, encompassing pivotal roles from hands-on technical positions to leadership responsibilities in designing, building and executing multiple cybersecurity teams and programs. Our CISO’s career spans global organizations across different industries as retail, software and technology, medical device manufacturing and cyber advisory and audit services. Our CISO holds the following certifications: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), and Certified in Risk and Information Systems Control (CRISC) from the Information Systems Audit and Control Association, and is a Certified Cybersecurity Information Security Officer (C-CISO) by the International Council of E-Commerce Consultants.

Company Information