Dutch Bros Inc. 10-K Cybersecurity GRC - 2025-02-13

Page last updated on February 14, 2025

Dutch Bros Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-13 16:07:53 EST.

Filings

10-K filed on 2025-02-13

Dutch Bros Inc. filed a 10-K at 2025-02-13 16:07:53 EST
Accession Number: 0001866581-25-000048

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We rely on information technology networks and systems and data processing to manage a variety of business processes and activities, including, without limitation, to process customer payments and conduct our marketing efforts. We have implemented and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic, or competitive in nature, and customer data. We utilize certain third-party service providers to perform a variety of functions, such as outsourcing certain business critical functions, augmenting staff for after-hours support, help tracking chain of custody for physical PCI devices for our shops, providing applications, hosting our systems, distributing our products, property management, providing cloud-based infrastructure, data center facilities, encryption and authentication technology, supporting corporate productivity services, and other functions. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, for certain service providers, our vendor management process includes reviewing the cybersecurity practices of certain providers, contractually imposing obligations on certain providers related to the services they provide and/or the information they process, conducting security vulnerability assessments, requiring providers to complete written questionnaires regarding their services and data handling practices, conducting periodic re-assessments during their engagement, using a third party vendor management security company to provide certain ongoing monitoring, or annually collecting certain information security-related compliance documentation and reports. Dutch Bros Inc. | Form 10-K | Risks from cybersecurity threats are among those that we address in the Company’s general risk management program. As part of our overall risk management processes, the Company maintains various policies related to information security, including, for example, an Incident Response Policy and a Cybersecurity Incident Reporting Policy. We identify cybersecurity threats as part of our risk management processes, including (depending on the environment or systems) through internal monitoring, monitoring the threat environment using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environments, evaluating our and our industry’s risk profile, evaluating threats reported to us, conducting threat assessments for internal and external threats, and conducting security vulnerability assessments to identify vulnerabilities. Our information technology team is responsible for identifying, assessing, and managing the Company’s cybersecurity threats and risks under the oversight of our Chief Technology and Information Officer. This team works with third parties from time to time to help identify, assess, and manage cybersecurity risks, including professional services firms and other vendors. Based on our assessment process, we implement and maintain various technical, physical, and organizational measures designed to manage and mitigate cybersecurity risks and potential material impacts. Depending on the environment or systems, we implement measures designed to prevent, detect, respond to, mitigate, and recover from identified and significant cybersecurity threats. The risk management and reduction measures we implement for certain of our environments or systems include: policies and procedures designed to address cybersecurity threats, including an incident response policy, acceptable use policy, and vulnerability management policy; internal and/or external security audit assessments of select environments to assess our exposure to cybersecurity threats, compliance with risk mitigation procedures, and the effectiveness of relevant controls; documented risk assessments; encryption of certain data; network security controls in certain systems; physical and electronic access controls in certain environments; asset management, tracking and disposal; systems monitoring of certain systems; employee security training; penetration testing of certain environments; maintaining cyber insurance; and a dedicated cybersecurity leader. Our business, results of operations, financial condition, or reputation could be materially affected as a result of certain risks from cybersecurity threats, including for example, due to: the cost of and modification of business activities and implementation of security measures; system failure, data loss, fraud or theft; disruptions, including in operations; delays in remediation of high risk or critical vulnerabilities; costs of notices and other disclosures that may be required by applicable data privacy and security obligations; or our inability to recover such costs under insurance policies or contractual rights. See “Risks Related to Our Business” in Item 1A, Risk Factors for more information and a description of the risks from cybersecurity threats that materially affect the Company. Governance The Audit and Risk Committee of the board of directors is responsible for oversight of the Company’s processes and policies for enterprise risk identification, management, and assessment, including certain risks around data privacy, technology, and information security. Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Chief Technology and Information Officer , Venki Krishnababu, who has over 30 years of experience in the information technology field. Prior to serving the Company, Mr. Krishnababu served in various information technology roles, most recently as Chief Technology Officer, at lululemon athletica inc. (NASDAQ: LULU), and prior to that as Chief Technology Officer at Premera Blue Cross. Our Chief Technology and Information Officer is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our Chief Technology and Information Officer and his team are responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Dutch Bros Inc. | Form 10-K | Our cybersecurity incident response processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including reporting certain incidents to a cross-functional group responsible for making ongoing assessments of reported incidents. This group is led by our Chief Legal Officer and Chief Technology and Information Officer, and includes members of our standing Disclosure Committee. The Chief Legal Officer is responsible for informing the Audit and Risk Committee regarding certain significant cybersecurity threats and risks, and meets with the Audit and Risk Committee periodically or at special meetings to review and discuss issues. Additionally, our Chief Legal Officer oversees an annual enterprise risk assessment that addresses certain applicable cybersecurity risks, the results of which are presented to the Audit and Risk Committee. We also engage a third party consulting firm to assist with our annual enterprise risk assessment. Our Chief Legal Officer works with the Board, senior management, others at various levels of the organization, and our outside advisors to help identify, assess, and validate the Company’s top risks, taking into account past risk mitigation activities and future plans. Under our Cybersecurity Incident Reporting Policy, the Chief Legal Officer is also responsible for communicating to the Audit and Risk Committee the activities of the Company related to the assessments and reporting of potentially significant cybersecurity incidents.

Company Information