First Watch Restaurant Group, Inc. 10-K Cybersecurity GRC - 2025-03-11

Page last updated on March 11, 2025

First Watch Restaurant Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-11 07:06:47 EDT.

Filings

10-K filed on 2025-03-11

First Watch Restaurant Group, Inc. filed a 10-K at 2025-03-11 07:06:47 EDT
Accession Number: 0001789940-25-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We deploy a cybersecurity program modelled on Center for Internet Security (CIS) Critical Security Controls, commonly referred to as CIS Controls. We believe our program’s control focus provides immediate protection and scalability for our business. Our program defines our governance and management oversight, and includes (i) continual training to enhance user vigilance and resistance to phishing attempts and cyber-attacks, (ii) evaluation of compliance with privacy and data security regulations and (iii) reporting obligations in the event of an incident. As part of our program, we partner with a security operations center for continuous monitoring and alerting across all of our information technology systems. Additionally, our Information Technology leadership meets monthly with a cyber advisor to review progress on tools, scoring and management of our cybersecurity programs. On an annual basis, we engage an external partner to conduct a comprehensive risk assessment of our cybersecurity program, identify gaps based on best practices and recommend improvements. We have also developed vendor scoring criteria to assess cybersecurity, incidence readiness and cyber insurance of our critical vendors and service providers. Additionally, we conduct ongoing internal and external vulnerability and penetration scans. Our internal security team is led by a manager with over 40 years of experience who reports directly to our Chief Information Officer. Security incidents or breaches have from time to time occurred and may in the future occur involving our systems, the systems of the parties with whom we communicate or collaborate (including franchisees) or the systems of third-party providers. As of the date of this Annual Report on Form 10-K, we have not experienced cybersecurity threats or incidents that have materially affected us. However, any actual or perceived breach in the security of our information technology systems or those of our franchisees or our critical vendors and service providers could lead to damage to or failure of our computer systems or network infrastructure which could cause an interruption in our operations and could have a material adverse effect on our business. Furthermore, a significant theft, loss, disclosure, modification or misappropriation of, or access to, guests’, employees’, third parties’ or other proprietary data or other breach of our information technology systems could subject us or our franchisees to litigation or to actions by regulatory authorities. See also Item 1A. " Risk Factors - Risks Related to Information Technology and Intellectual Property-Information technology system failures or breaches of our network security could interrupt our operations and have a material adverse effect on our business, financial condition and results of operations ." Governance The Audit Committee of our Board is tasked with oversight of certain risk issues, including cybersecurity. T he Audit Committee receives reports on cybersecurity at least twice annually from the Company’s Chief Information Officer, who has over 25 years of experience in the management of information technology systems and cybersecurity. These reports cover trends vulnerability management, cybersecurity posture, risk assessment findings, incident responses and updates on technology initiatives. The Audit Committee briefs the full Board of Directors on these matters as a part of its reports of its meetings.

Company Information