Wingstop Inc. 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

Wingstop Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:52:47 EST.

Filings

10-K filed on 2024-02-21

Wingstop Inc. filed an 10-K at 2024-02-21 16:52:47 EST
Accession Number: 0001636222-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management The Company maintains a comprehensive information security program that is designed to identify, protect against, detect and respond to, and manage cybersecurity threats. The program contains security measures that include, but are not limited to, the following: security policies and procedures; physical and environmental protections; monitoring processes and systems; asset management; risk assessments; a vulnerability management and remediation program; and maintenance of a third-party risk management program. We consult the National Institute of Standards and Technology Cyber Security Framework for guidance and leverage internal and external resources to design and execute our cybersecurity program. The Company also trains employees to understand their role in attempting to protect the Company from cybersecurity attacks. Our information security training program for employees includes computer-based training at hire, annual follow-up training and acknowledgement of our information security policies, regular internal communications, and testing to measure the effectiveness of our information security program. For example, we conduct regular phishing awareness campaigns designed to emulate current threats and provide immediate feedback and, as necessary, additional training or remedial action. In addition, the Company engages third parties to assist in assessing, identifying, and remediating material risks from cybersecurity threats. Our key cybersecurity controls are regularly tested and audited by third-party service providers, which we retain to help identify vulnerabilities in our systems and to help maintain compliance to standards and regulatory requirements. Other third-party service providers are enlisted by the Company for security operations center services to augment our teams monitoring capabilities and to assist with our investigation and response to alerts on emerging and ongoing threats. We also maintain a third-party risk management program that includes policies and procedures designed to oversee and manage the cybersecurity risks associated with our third-party service providers. The Company conducts risk assessments at the initial onboarding of vendors or service providers who have access to Company systems or data and, subsequently, at regular intervals in an effort to help determine the severity and scope of risks to Company systems, data and operations. In addition to implementing safeguards that attempt to minimize risks associated with a cybersecurity incident, the Company maintains disaster recovery and business continuity plans that include data backup capabilities. We also have incident response procedures designed to address cybersecurity events that may occur despite the safeguards we have put in place. Further, our incident response procedures and business continuity plans are also designed to assist in responding to breaches of any of our third-party service providers. As of the date of this report, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. In 2023, the Company reinforced its business continuity plan in an effort to provide increased oversight of our third-party service providers and suppliers. Risks from cybersecurity threats that are reasonably likely to materially affect the Company, its business strategy and results of operations or financial condition, include (but are not limited to): data loss; a disruption to our operations; a compromise or corruption of confidential or proprietary information; damage to our employee and business relationships and reputation; increased burden of regulatory compliance; and/or litigation and liability. See our related risk factors in Item 1A. Risk Factors for more information about the Company s risks from cybersecurity threats and how such threats may impact the Company s business, operations, and financial results. Governance Our Board classifies cybersecurity and information technology infrastructure among the most significant potential risks to our business in the Company s enterprise risk management program. The Technology Committee, which consists of five independent directors, is responsible for the oversight of the Company s cybersecurity and technology-related risks and management s efforts to monitor and oversee those risks. The Technology Committee oversees these risks in conjunction with the Audit Committee, which also consists entirely of independent directors, and regularly participates in joint meetings with the Audit Committee to discuss these matters. Our Senior Director of Information Security and Data Privacy, who has more than 20 years of experience in information technology-related roles, including engineering, governance, and security, oversees our information security program and 26 matters of risk relating to cybersecurity. Members of our Information Technology team periodically provide risk reports to the Board and its committees, including assessments of the Company s cybersecurity risks, their potential impact on our business operations, and management s strategies to monitor and mitigate those risks. The committee chairs, in turn, report to the full Board as part of our general risk management process. 27

Company Information