STARBUCKS CORP 10-K Cybersecurity GRC - 2024-11-20

Page last updated on November 20, 2024

STARBUCKS CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-20 16:08:06 EST.

Filings

10-K filed on 2024-11-20

STARBUCKS CORP filed a 10-K at 2024-11-20 16:08:06 EST
Accession Number: 0000829224-24-000057

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Starbucks has implemented a cybersecurity program that leverages industry-standard cybersecurity frameworks to assess, identify, and manage cybersecurity risk. Our cybersecurity program is integrated with the Enterprise Risk Management (“ERM”) framework and governance processes utilized by management and our Board to oversee our various top enterprise risks. Our internal audit function periodically evaluates our cybersecurity program and selected aspects of it. We have implemented various processes and tools to identify cybersecurity threats, detect potential attacks, and protect our data and information technology. We periodically evaluate evolving cybersecurity risks and legal and compliance requirements, and we make ongoing strategic investments to address those evolving risks and requirements. Starbucks assesses, measures, and reports on cybersecurity risk at operational, program or management, and strategic or executive oversight levels. We maintain and periodically update written cybersecurity policies, standards, and controls, which are reviewed by a cross-functional management-level committee and designed to align with business objectives, regulatory requirements, and industry best practices. We train our employees through annual cybersecurity awareness training, phishing simulations, and periodic communications about timely cybersecurity topics and threats. We also implement a variety of tools to monitor our systems and network activity, and we conduct various simulated attacks and penetration tests to assess the effectiveness of these tools. We maintain an incident response plan that guides us in identifying, evaluating, responding to, and recovering from cybersecurity incidents. The plan provides for the creation of a cross-functional, tailored incident response team, led by dedicated incident responders, that may include both Company personnel and third-party service providers, as appropriate. The incident response plan includes incident classification and escalation protocols, as well as processes to assess and comply with applicable legal obligations. We periodically test the effectiveness of the plan, and review and update it as appropriate. We also maintain insurance coverage that, subject to its terms and conditions, is intended to help us mitigate certain costs associated with cybersecurity incidents. We engage third-party security experts, as appropriate, to support our processes for assessing, identifying, and managing cybersecurity risks, including, for example, periodic evaluations of our cybersecurity program from a design and effectiveness perspective, penetration testing, vulnerability scanning, employee awareness training, phishing simulations, and incident monitoring and response. To address cybersecurity risk arising from our relationships with our third-party business partners and service providers, we maintain a third-party risk management program, which takes a risk-based approach and includes elements such as conducting cybersecurity assessments, including cybersecurity-related obligations in agreements, and utilizing external monitoring sources. In addition, we maintain a global privacy program to identify, assess, and manage privacy risks related to how we are collecting, using, sharing, storing, and otherwise processing personal data. As of the date of this filing, we have not identified any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, there can be no assurance that we, or our third-party business partners or service providers, will not experience a cybersecurity threat or incident in the future that could materially adversely affect our business strategy, results of operations, or financial condition. For further discussion of the risks related to cybersecurity, see the risk factors discussed under “Risks Related to Cybersecurity and Data Privacy” in our Risk Factors in Item 1A of this Form 10-K. Governance Our cybersecurity program is led by our senior vice president, chief information security officer (“ciso”), who is responsible for identifying, assessing, and managing our collective information security and technology risks. Our ciso has more than 20 years of experience in the information security and technology fields. The ciso reports to our executive vice president, chief technology officer, who has spent more than 25 years of service in various leadership roles in information technology across multiple Fortune 500 companies. The ciso is informed about the prevention, detection, mitigation, and remediation of cybersecurity incidents through management of, and participation in, the cybersecurity program described above, including through reports prepared by our internal cybersecurity team and the operation of our incident response plan. The ciso meets regularly with leaders of our various information technology management teams and with the Risk Management Committee (a management-level committee, which is co-managed by our cfo and chief legal officer), to review and discuss our cybersecurity and other information technology risks and opportunities. Our Board has ultimate cybersecurity and data privacy risk oversight responsibility for the Company and administers this responsibility both directly and with assistance from the Audit and Compliance Committee (“Audit Committee”) and the Environmental, Partner, and Community Impact Committee (the “Impact Committee”). The Audit Committee oversees our cybersecurity and technology risks, and the Impact Committee oversees our data privacy risks, all of which are integrated into our overall ERM program. The Audit Committee actively reviews and discusses our cybersecurity and technology risk management programs and regularly reports out to the full Board on our relevant strengths and opportunities. The Impact Committee reviews our data privacy risk management programs and reports out to the full Board on our relevant strengths and opportunities. The Audit Committee receives quarterly updates from the ciso or other members of the ciso’s team with responsibility for oversight of our key cybersecurity program components. These updates include, as appropriate, ongoing changes in our external and internal cybersecurity threat landscape, new technology trends and regulatory developments, evolving internal policies and practices used to manage and mitigate cybersecurity and technology-related risks, cybersecurity incidents and our response to them, and trends in various metrics that are used to help assess our overall cybersecurity program effectiveness. The Impact Committee receives annual updates from our vice president, data privacy, on our data privacy practices, emerging risks, and evolving global privacy laws and regulations.

Company Information