JACK IN THE BOX INC 10-K Cybersecurity GRC - 2024-11-20

Page last updated on November 21, 2024

JACK IN THE BOX INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-20 19:18:45 EST.

Filings

10-K filed on 2024-11-20

JACK IN THE BOX INC filed a 10-K at 2024-11-20 19:18:45 EST
Accession Number: 0000807882-24-000052

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy The Company maintains a comprehensive information security program that is designed to identify, protect against, detect, and respond to, and manage cybersecurity threats. The program contains security measures that include, but are not limited to, the following: security policies and procedures; physical and environmental protections; monitoring processes and systems; asset management; risk assessments; a vulnerability management and remediation program; and maintenance of a third-party risk management program. Our Information Security Policy provides guidance on the requirements necessary to ensure the security of the Company’s data, systems, and networks. It applies to all individuals who access IT resources or data processed by the Company. We use commercially reasonable efforts to follow industry standards and best practices, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, for our IT Security Incident Response Plan. Our technology structures undergo an annual internal assessment to evaluate risk using the NIST Cybersecurity Framework; our assessment methodology and a thorough sampling of our results are validated annually by a third party. Our IT Security Incident Response Plan defines a cybersecurity incident and outlines the roles, responsibilities, and procedures for us to respond effectively. Having a structured plan enables a rapid response, effective recovery, clear communication and coordinated action to major security incidents. Our plan allows us to reduce recovery time and cost and to also maintain business continuity. Our IT Application Security Program includes reviews and assessments of security vulnerabilities and remediation. We use commercially reasonable efforts to update security systems regularly to protect against known vulnerabilities. We plan to perform vulnerability scans at least quarterly and penetration testing annually as well as after any significant infrastructure or application modification. Whitebox and blackbox security testing and manual penetration testing is performed to monitor security controls and defenses. All employees and third-party contractors with access to the Company’s IT infrastructure must annually acknowledge that they have read and understand the IT User Acceptance Policy. Employees and contractors must also complete information security awareness training upon initial hire and annually thereafter. We have measures in place to protect the confidentiality, integrity and availability of franchise and customer information. Most personally identifiable information (“PII”) handled by our restaurants is associated with payment cards, which are protected by an EMV chip reader that encrypts and tokenizes customer data, so it passes through our networks without retaining any personal information. We do not store any credit or debit card information from customers. All information is processed through a third-party firm. To maintain the safety and security of our customers’ private payment information, we follow the Payment Card Industry Data Security Standard (“PCI DSS”) to ensure our processes and systems are well equipped for proper data protection. Employees and third-party contractors with access to the Company’s cardholder data environment (“CDE”) or systems used to support the CDE, complete annual PCI awareness training. The Company’s corporate restaurant employees also receive periodic security training on devices that capture payment card data. In addition, the Company engages third parties to assist in assessing, identifying, and remediating material risks from cybersecurity threats. Our key cybersecurity controls applied to financial business processes and supporting information systems are regularly tested and audited by third-party service providers, which we retain to help identify vulnerabilities in our systems and to help maintain compliance to standards and regulatory requirements. 21 Cybersecurity Governance Our Board of Directors has charged the Audit Committee with oversight of the Company’s identification, assessment, and management of cybersecurity and data privacy risks. As part of its oversight of our enterprise risk management program, the Audit Committee periodically reviews and prioritizes key risks facing our Company, including cybersecurity risk. Our Chief Information Security Officer (“CISO”) and Chief Technology Officer (“CTO”) manage our network operations and software development across corporate and franchise locations. The Board of Directors receives regular updates from the CISO and CTO regarding our cybersecurity program and actions taken to manage cybersecurity risk, which include risk identification and management strategies, consumer data protection, security programs, ongoing risk mitigation activities and results of third-party assessments and testing.

Company Information