Sprouts Farmers Market, Inc. 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

Sprouts Farmers Market, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 16:07:37 EST.

Filings

10-K filed on 2025-02-20

Sprouts Farmers Market, Inc. filed a 10-K at 2025-02-20 16:07:37 EST
Accession Number: 0001575515-25-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C . Cybersecurity Cybersecurity is of critical importance to our success. We are susceptible to significant and persistent cybersecurity threats, including data breaches, ransomware, and phishing attacks. These threats, which are constantly evolving, include attempts by malicious actors to breach our security and compromise our information technology systems, as well as those of our vendors and suppliers. A cybersecurity incident impacting us or any third party could disrupt operations, damage our reputation, and result in costly litigation and/or government enforcement action. We are committed to maintaining robust cybersecurity and data protection practices and continuously evaluate cybersecurity threats, considering their immediate and long-term effects on our business strategy, operations, and financial condition. Under the oversight of our Board of Directors, and the Board’s risk committee, our management has established comprehensive processes identifying, assessing, and managing material risks from cybersecurity threats. These processes are integrated into our enterprise risk management program and include proactive measures such as advanced threat monitoring, penetration testing, multi-factor authentication, and team member training. We also align our practices with recognized standards such as the NIST Cybersecurity Framework. Our detailed incident response plan outlines steps for detection, assessment, notification, and recovery, including escalation to management, the Risk Committee, and the Board when appropriate. The risk committee of our Board, chaired by a director with extensive cybersecurity expertise, receives quarterly updates from management on cybersecurity risks and incidents, including those with moderate or higher impacts. Management updates the full board regularly to ensure alignment on mitigation strategies. Our Chief Technology Officer , with more than 35 years of IT experience, leads our cybersecurity efforts, supported by a dedicated team of certified specialists and external consultants. Our third-party vendors and service providers are integral to our operations but pose unique cybersecurity challenges due to their access to data and our reliance on them for critical operations, including supply chain management. To address these risks, we maintain a third-party vendor risk management program that includes pre-onboarding due diligence, regular audits, and ongoing compliance evaluations. Additionally, we assess critical vendors’ supply chain security practices to reduce risks from subcontractors. As of the date of this report, no cybersecurity incidents have had a material adverse effect on our business, financial condition, or results of operations. However, we recognize that no system is immune to breaches. While we maintain cyber insurance coverage for specific risks, such as ransomware attacks and business interruption, the costs of certain incidents could exceed policy limits. We continue to invest in advanced technologies, such as AI-driven threat detection, to strengthen our defenses against evolving threats. See Item 1A. “Risk Factors - Disruptions to, security breaches or non-compliance involving our information technology systems could harm our ability to run our business and expose us to potential liability and loss of revenues” for additional discussion of cybersecurity risks that may materially impact us.

Company Information