Portillo's Inc. 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

Portillo’s Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 08:05:37 EST.

Filings

10-K filed on 2025-02-25

Portillo’s Inc. filed a 10-K at 2025-02-25 08:05:37 EST
Accession Number: 0001871509-25-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management Strategy Responsibility for cybersecurity risk management comes from a collective effort, with day-to-day oversight and management from our executive and information technology (“IT”) teams. Additionally, the Audit Committee continues to take a more active role in setting both proactive and reactive strategies, with the overall Board overseeing our efforts and helping to guide our strategy. From a framework standpoint, we primarily utilize the National Institute of Standards and Technology (“NIST”) framework to assess and mitigate cybersecurity risks. This framework guides our efforts to identify, analyze and contain any security threats, and advises as to potential actions to consider if a need arose to recover from a security incident. Our primary source of cybersecurity risk relates to security of our third-party service providers, whose activities and scale may present more desirable targets. However, we do maintain certain systems ourselves and appreciate the need to focus internally as well. We manage cybersecurity risk through a variety of tactics, including (i) the structure of our systems and platforms, (ii) the contractual terms with our third-party vendors, (iii) the proactive vulnerability assessments we conduct (or require our vendors to conduct), (iv) compliance with applicable regulations and continuous improvement around best practices, (v) mitigating user error and human vulnerabilities through training and guidance, (vi) attending security conferences and operationalizing new learnings and/or planning for environment changes in response to these learnings, and (vii) the placement of cybersecurity insurance policies. We also work with cross-functional partners and outside experts, including legal counsel and consultants to identify the legal requirements and industry practices and expectations that the Company’s security measures should satisfy. We employ a “Defense in Depth” strategy to protect the Company, segmenting our systems and networks so that an attack on one segment does not allow for easier compromise of other systems and networks. Within the Company, administrative access to various systems is limited so that there is no universal access if an administrator-level account is compromised. We involve our IT team when negotiating contracts that could increase our cybersecurity risk exposure, so that the team is aware of the specific risks related to a given vendor and can provide feedback and advice on the contractual provisions necessary to prevent a cybersecurity incident, or in the event an incident does occur, to ensure that the Company has the necessary rights to act quickly to protect team members, guests, and our business and mitigate potential damage. We are continuously improving our processes and contract positions to reflect evolving risks and market Portillo’s Inc. Form 10-K | practices. We appreciate the need to monitor and test our systems to make sure that they are working the way that they should. We negotiate with our vendors about a variety of monitoring, testing, and reporting provisions so that we can work with them to better address vulnerabilities. This may include sharing SOC 1 or 2 Type 2 audit reports, conducting periodic penetration and vulnerability testing, both internally and externally, and confirmation that vendors are adhering to applicable laws. Some of this testing and monitoring is conducted in-house and some is conducted by third-party vendors. We routinely conduct penetration testing across our various environments and networks, including our Restaurant Support Center, our restaurants and our cloud-based architecture and systems. We review penetration testing outcomes and take steps to address any meaningful findings, while documenting resolution steps these efforts. We work with team members at all levels to educate them about evolving risks, from well-known tactics and scams (e.g., phishing) to their more sophisticated descendants (e.g., spear phishing and smishing). Team members receive training on data security and privacy practices and are included in periodic awareness campaigns to test real-world responses. We continue to add further training opportunities as they become available and have incorporated “tabletop” exercises for our Board, our management team, and our team members into our risk mitigation efforts to help us refine our business interruption and response plans. The Company also employs and enforces policies to guide team member behavior and help protect against threats, which includes steps such as regular password updates, and obtaining permission to install third-party programs. Team member training reinforces the Company’s risk management policies and procedures and the expectation that all team members will adhere to them. The Company also maintains a cybersecurity insurance policy that we believe is appropriate for a company of our size and risk profile, but it is possible that it may not fully cover the costs associated with a cybersecurity incident. We do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected our business strategy, results of operations or financial condition. However, there is no guarantee that a future cybersecurity incident would not materially affect our future strategy, results or financial condition. For a more in-depth discussion of risks associated with cybersecurity and cybersecurity insurance risks , see Item 1A, “Risk Factors.” Cybersecurity Governance Both the Board and the Audit Committee play an important role in the Board’s oversight of cybersecurity threats. The Audit Committee receives periodic updates on the Company’s risk profile and mitigation strategies and conducts forward-looking discussions about major IT changes that are planned, the risks involved and the Company’s potential mitigation strategies. The Audit Committee shares updates with the broader Board . We presently have three Directors, Ann Bordelon, Chair of the Audit Committee, Paulette Dodson, and Noah Glass, who have cybersecurity risk management experience and we continue to monitor whether supplemental experience may be useful as cybersecurity threats continue to evolve. The IT Team manages day-to-day cybersecurity risks under the oversight of our Chief Information Officer (“CIO”) , who is actively engaged in strategic planning, security assessments, and mitigation efforts. Our CIO has 10+ years of experience overseeing security practices at various multi-national restaurant concepts. Our CIO and Chief Financial Officer discuss IT matters on a routine basis, and as noted above, periodic reviews are conducted with the executive management team and the Audit Committee. We have an incident response process that is activated in the event of a direct or third-party attack. The plan is designed to help us detect, respond to and recover from cybersecurity incidents. Criteria are in place to determine the scope and severity of an incident, in relation to: incident reporting to the Audit Committee and/or the Board; disclosure or other external reporting; compliance with applicable legal obligations and mitigation of the impact to our brand, its reputation and any impacted parties. To address any gaps in the Company’s collective expertise and to account for the ever-evolving nature of cybersecurity risks, the Company retains various consultants as noted above. The internal and external headcount, and the expertise of the employees and consultants, will change from time to time as we adapt to the changing cybersecurity environment.

Company Information