Dine Brands Global, Inc. 10-K Cybersecurity GRC - 2025-03-05

Page last updated on March 5, 2025

Dine Brands Global, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-05 07:52:01 EST.

Filings

10-K filed on 2025-03-05

Dine Brands Global, Inc. filed a 10-K at 2025-03-05 07:52:01 EST
Accession Number: 0001628280-25-010259

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy The primary objective of our security program is to prevent, detect and respond to security risks and threats to protect the confidentiality, integrity and availability of our information systems and our sensitive data. Our cybersecurity program approach is risk-based, using continuous threat modeling to help us identify, track and measure our progress to reduce security risk based on three pillars: - Prevention, through planning and designing solutions to implement security controls. The security functions that support prevention efforts are aligned with security architecture, strategy and risk management activities; - Detection and response activities, which enable us to discover and respond to cybersecurity events in a timely manner. When a potentially damaging or threatening cybersecurity event is detected, our security operations team, focused on delivering detection and response services, executes the appropriate cybersecurity incident response plan; and - Governance and compliance, through cross-functional engagement, good operational hygiene and consistent discipline. Ongoing stakeholder collaboration, communications and training within a well-defined policy framework aligned with industry standards is foundational for strong governance and effective compliance. As part of the policy framework, operating procedures are kept up-to-date to reflect the current state of execution and to drive investment and iterative improvements in the highest priority areas of the security program. See Governance below for additional detail. Our program framework and foundation are based on common security standards and frameworks, including ISO/IEC 27001/2:2022 and NIST Cyber Resiliency Framework and Model, in alignment with PCI DSS, privacy laws and regulatory requirements. Our information and cybersecurity policy, standards, strategy, roadmap and processes are aligned with industry-recognized security risk management framework and practices, including detailed tasks, plans and initiatives, which are reviewed and updated periodically, and at least annually. Our program also incorporates incident response plans and notification protocols, to assess and manage security incidents and threats, including their materiality. Our cybersecurity program uses layered security defenses, cyber resiliency and automation capabilities for our security functions and operations. Our cybersecurity roadmap outlines and defines the security initiatives, projects and tasks. Security investments and projects are discussed by the Security Steering Committee (“SSC”). We engage with a range of third-party cybersecurity service providers, assessors and auditors to evaluate and enhance the effectiveness of our cybersecurity program. Services provided by these third parties include 24/7 security logging, network and 26 endpoint monitoring, vulnerability scanning, penetration testing, security incident response tabletop exercises and security and compliance posture assessments. Vendor security monitoring is an important component of our cybersecurity program to ensure our vendors are securing and protecting our critical infrastructure, data, and information, integrated with our contract management process, including security addenda and vendor security risk assessments for new contracts and annual vendor security risk assessments for critical vendors. Our security incident response plan provides guidelines and requirements for reasonable and consistent responses to security incidents to limit damage while preserving the confidentiality, integrity and availability of Company systems and information, and reducing recovery time and cost, including but not limited to, escalation of security incidents to appropriate team members for investigation and response and documenting the required steps for investigation and remediation taken during the security incident response. We perform an annual tabletop exercise led by third-party security experts with participation from executive management and technical internal teams. Our employees and vendor partners are also trained to report any security events to the cybersecurity team, who will escalate and notify the legal team, senior executives, and Board of Directors as needed. As of the date of this report, we are not aware of any actively exploited security risks from cybersecurity threats, including as a result of any previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. Governance Our cybersecurity risk management program is informed by legal and regulatory requirements and considerations. Cybersecurity risks are included as an integral part of our broader Enterprise Risk Management (“ERM”) program and reviewed regularly by internal stakeholders comprised of a cross-functional team to assess the risk level and strength of our mitigation strategies. Our cybersecurity risk assessment is performed regularly throughout the year, and may include: - Regular cybersecurity program, risk and incidents reporting to the Board of Directors; - Regular cybersecurity risk reporting to the Enterprise Risk Committee, which includes the Company’s Chief Executive Officer, Chief Financial Officer, Senior Vice President, Legal, General Counsel & Secretary, Internal Audit, Chief Information Officer and Chief Information Security Officer (“CISO”); and - Routine Security Steering Committee meetings with members from the Company’s cybersecurity, ERM, Information Technology (“IT”), internal audit and legal teams. Our CISO leads our cybersecurity team and is generally responsible for management of cybersecurity risk and the protection and defense of our networks and systems. Our CISO has 30 years of experience serving in various roles related to cybersecurity and information security. The SSC, chaired by our CISO, is comprised of executive level representatives from our IT, legal, enterprise risk management and internal audit teams and is responsible for oversight, evaluation and coordination of activities related to safeguards, security risk, controls, remediation activities, policy governance and other related security program activities. The Board of Directors is responsible for overseeing overall risk management for the Company. The Audit Committee receives reports from the CISO regarding the cybersecurity program. The presented topics include, but are not limited to, the status of ongoing cybersecurity initiatives, incident reports and compliance with industry standards. Members of the Board of Directors also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. 27

Company Information