Krispy Kreme, Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Krispy Kreme, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 17:10:58 EST.

Company Summary

Krispy Kreme is a global retailer of premium-quality sweet treats and is famous for its original glazed doughnut.

Filings

10-K filed on 2025-02-27

Krispy Kreme, Inc. filed a 10-K at 2025-02-27 17:10:58 EST
Accession Number: 0001857154-25-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have processes in place for assessing, identifying, and managing material risks from unauthorized occurrences on or through our electronic information systems that could adversely affect the confidentiality, integrity, or availability of our information systems or the information residing on those systems. These include a wide variety of mechanisms, controls, technologies, methods, systems, and other processes that are designed to prevent, detect, or mitigate data loss, theft, misuse, unauthorized access, or other security incidents or vulnerabilities. In addition, we engage with independent third-party partners, including cybersecurity assessors, consultants, and auditors, to assess and consult on our cybersecurity capabilities, prioritize areas of risk, and assist with execution of our risk management and strategic plans. Our collaboration with these third parties includes audits, threat assessments, and consultation on security enhancements. In an effort to mitigate data or security incidents that may originate from third-party suppliers, we also identify, prioritize, assess, and address third-party risks; however, we rely on the third parties we use to implement security programs commensurate with their risk, and we cannot ensure that their efforts will be successful. As part of our risk management process, we conduct application security assessments, vulnerability management, penetration testing, security audits, and risk assessments. We provide cybersecurity awareness training to employees with access to information systems, including corporate employees. We also maintain an incident response plan. Our incident response plan outlines the process for our coordination with our third-party cybersecurity providers to respond to and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with applicable legal obligations and mitigate brand and reputational damage. In addition, our incident response plan includes actions designed to enhance processes and responsiveness to address future incidents. We continue to strengthen our systems, cybersecurity training, policies, programs, response plan, and other similar measures. As previously disclosed in the Company’s Current Report on Form 8-K filed with the SEC on December 11, 2024, during the fourth quarter of fiscal 2024, unauthorized activity on a portion of our information technology systems resulted in the Company experiencing certain operational disruptions, including with online ordering in parts of the U.S. (the “2024 Cybersecurity Incident”). Our online ordering, retail shops, and core business functions are now fully operational. The incident materially affected the Company’s business operations and is reasonably likely to materially impact the Company’s results of operations and financial condition. In the fourth quarter of fiscal 2024, we incurred approximately $3 million of remediation expenses related to the 2024 Cybersecurity Incident. In addition, we estimate that we lost revenue within our U.S. segment in an amount of $11 million related to the incident with a corresponding estimated $10 million impact on Adjusted EBITDA (includes margin on the aforementioned lost revenues, as well as operational inefficiencies). We expect to continue to incur costs in fiscal 2025 related to the incident, including operational inefficiencies early in the first quarter and costs related to fees for our cybersecurity experts and other advisors. The Company holds cybersecurity insurance that is expected to offset a portion of the losses and costs from the incident. As of the date of this report, except as set forth herein, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, our business strategy, results of operations, or financial condition. For more information regarding cybersecurity risks that have and may in the future materially affect us, see “Risk Factors-Risks Related to Cybersecurity, Data Privacy, and Information Technology” included in Item 1A of Part I of this Annual Report on Form 10-K. Governance Our Chief Information Officer (“CIO” ) leads our global information security organization responsible for overseeing the Company’s information security program. Our Chief Information Security Officer (“CISO”) is primarily responsible for identifying, assessing, monitoring, and managing cybersecurity threats to our overall enterprise. Our CIO has over 25 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies. Our CISO, who reports directly to the CIO, has over 30 years of information technology infrastructure and security experience, including developing and leading cybersecurity risk management programs for a variety of companies. Additionally, the team supporting the CISO has relevant educational and professional information technology security experience, including holding similar positions at other large companies. The CISO receives information regarding cybersecurity incidents and threats primarily from our third-party cybersecurity providers. The CISO then provides periodic reports to the CIO, including reporting on significant cybersecurity incidents, strategy, results of employee trainings, and any other notable cybersecurity matters. Cybersecurity risk is among the top risks that the Company actively monitors. Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels, and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. The Audit and Finance Committee (“Audit Committee”) of the Board of Directors oversees our annual enterprise risk assessment, where we assess key risks within the Company, including security and technology risks and cybersecurity threats. The Audit Committee also oversees our cybersecurity risk and receives reports from our CIO on various cybersecurity matters, mitigation measures, and the status of our information security priorities. In addition, the Audit Committee reports to the Board of Directors on any significant cybersecurity incidents, such as the 2024 Cybersecurity Incident.

Company Information