Restaurant Brands International Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Restaurant Brands International Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 15:04:05 EST.

Filings

10-K filed on 2024-02-22

Restaurant Brands International Inc. filed an 10-K at 2024-02-22 15:04:05 EST
Accession Number: 0001618756-24-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risk management and strategy We recognize the critical importance of maintaining the trust and confidence of our customers, franchisees and employees. Consequently, our cybersecurity policies, standards, processes and practices are embedded within our overall enterprise risk management ( ERM ) program. Our operations utilize multiple information systems, including accounting software, human resources management software, back of house systems, supply chain software, our brands mobile apps, online ordering platforms, in-restaurant kiosks, point-of-sale software, and back-of-house software. In the ordinary course of our business, we collect, process, transmit, disclose, and retain personal information regarding our employees, our franchisees, vendors, contractors, and guests (which can include social security numbers, social insurance numbers, banking and tax identification information, health care information for employees, and credit card information) and our franchisees collect similar information. To protect the information that we gather and the availability of our information systems from cybersecurity threats, we have an ongoing cybersecurity risk mitigation program, which includes maintaining up-to-date detection, prevention and monitoring systems and contracting with outside cybersecurity firms to provide continuous monitoring of our systems as well as threat-detection services. We define a cybersecurity threat as any potential unauthorized occurrence on or conducted through our information systems or information systems of a third party that we utilize in our business that may result in adverse effects on the confidentiality, integrity or availability of our information systems or any information residing therein. Our cybersecurity policies, standards, processes, and practices are based on recognized frameworks established by the National Institute of Standards and Technology and include the following components: Collaborative Approach: We have implemented a comprehensive, cross-functional approach to identifying, preventing, and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Deployment of Technical Safeguards: We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Development and Periodic Testing of Incident Response and Recovery Planning: We have developed and maintain comprehensive incident response and recovery plans that address our response to cybersecurity threats, and such plans are tested and evaluated on a regular basis. Our periodic testing of these plans includes a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Audit Committee, and we adjust cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. Third-Party Risk Management: We maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers, franchisees and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. 24 Table of Contents Implementation of Regular and Mandatory Employee Training and Awareness Programs: We provide regular, mandatory training for our personnel regarding cybersecurity threats as a means to equip them with effective tools to detect and address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices. Governance Our Audit Committee oversees our ERM process, including the management of risks arising from cybersecurity threats. The Audit Committee regularly receives presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties. Our Internal Audit function performs periodic audits of our cyber security program and reports results to the Audit Committee. On a periodic basis, the Audit Committee discusses our approach to cybersecurity risk management with our Chief Information Security Officer ( CISO ). Our CISO works in coordination with our senior management and leaders at each of our brands to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. Our CISO and the internal security team monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and report such threats and incidents to the Audit Committee when appropriate. We also use a Managed Security Service Provider (MSSP) to provide continuous monitoring of our systems and supplement our internal security team. As of December 31, 2023, our CISO has served in various roles in information technology and information security for over 37 years, as an IT auditor and an IT security executive. He has been in various industries including Finance, Manufacturing and Retail. The CISO has both the CISA and CRP designations. While cybersecurity threats as a result of any previous cybersecurity incidents have not materially affected our business strategy, results of operations or financial condition, future incidents may interrupt our operations, cause reputational harm, subject us to increased operating costs and/or expose us to litigation. Executive Officers of the Registrant Set forth below is certain information about our executive officers as of February 20, 2024. Name Age Position J. Patrick Doyle 60 Executive Chairman Joshua Kobza 37 Chief Executive Officer Matthew Dunnigan 40 Chief Financial Officer Axel Schwan 50 President, Tim Hortons Canada & U.S. Thomas B. Curtis 60 President, Burger King U.S. & Canada Sami Siddiqui 39 President, Popeyes U.S. & Canada David Shear 39 President, International Duncan Fulton 48 Chief Corporate Officer Jeff Housman 42 Chief People & Services Officer Jill Granat 58 General Counsel and Corporate Secretary Jacqueline Friesner 51 Controller and Chief Accounting Officer Patrick Doyle. Mr. Doyle has served as Executive Chair of our Board since January 2023 and was appointed Executive Chairman of RBI in November 2022. Most recently, he served as an executive partner focused on the consumer sector of the Carlyle Group, a global diversified investment firm from September 2019 through November 2022, Prior to that he served as the chief executive officer of Domino s Pizza from March 2010 to June 2018, having served as president from 2007 to 2010, as executive vice president of Domino s Team USA from 2004 to 2007 and as executive vice president of Domino s International form 1999 to 2004. Joshua Kobza. Mr. Kobza was appointed Chief Executive Officer of RBI effective March 1, 2023. Prior to that, Mr. Kobza served as Chief Operating Officer of RBI from January 2019 to March 2023, as Chief Technology and Development Officer of RBI from January 2018 to January 2019, and as Chief Financial Officer of RBI from December 2014 to January 2018. From April 2013 to December 2014, Mr. Kobza served as Executive Vice President and Chief Financial Officer of Burger King Worldwide. Mr. Kobza joined Burger King Worldwide in June 2012 as Director, Investor Relations, and was promoted to Senior Vice President, Global Finance in December 2012. 25 Table of Contents Matthew Dunnigan. Mr. Dunnigan was appointed Chief Financial Officer of RBI in January 2018. From October 2014 until January 2018, Mr. Dunnigan held the position of Treasurer, where he took on increasing responsibilities and successfully led all of RBI s capital markets activities. Before he joined RBI, Mr. Dunnigan served as Vice President of Crescent Capital Group LP, from September 2013 through October 2014, where he evaluated investments across the credit markets. Prior to that, Mr. Dunnigan was a private equity investment professional for H.I.G. Capital. Axel Schwan. Mr. Schwan was appointed as President, Tim Hortons Canada & US in October 2019 after serving as Global Chief Marketing Officer for Tim Hortons since October 2017. Mr. Schwan first joined RBI as Marketing Director, Germany, Austria and Switzerland in 2011 and was then appointed as Vice President, Marketing and Communications, EMEA for Burger King before advancing to the role of Global Chief Marketing Officer for the brand in January 2014. Prior to joining RBI, Mr. Schwan led the Schwan family restaurant business, alongside his sister, and worked in various marketing roles at Unilever and Danone in Germany. Tom Curtis. Mr. Curtis was appointed President, Burger King U.S. & Canada in October 2021. From May 2021 to October 2021, he was the Chief Operating Officer, where he was responsible for overseeing field operations, restaurant development and restaurant operations. Prior to joining BKC, Mr. Curtis spent 35-years at Domino s Pizza, Inc., where he most recently served as Executive Vice President, U.S. Operations and Global Operations Support, overseeing both franchise and company-owned operations from March 2020 to April 2021. Prior to that, he served as Executive Vice President, Corporate Operations from July 2018 to March 2020, and as Vice President of Franchise Relations and Operations Innovation from March 2017 to July 2018. Mr. Curtis joined Domino s in 2006, after being a Domino s franchisee since 1987. Sami Siddiqui. Mr. Siddiqui was appointed President, Popeyes U.S. & Canada in September 2020. Prior to that Mr. Siddiqui served as President of Asia Pacific for RBI from February 2019 to September 2020 and as Chief Financial Officer for Burger King Corporation from October 2018 to February 2019. From September 2016 to September 2018, he was President of Tim Hortons and from April 2015 to September 2016, he was Executive Vice President, Finance for Tim Hortons. Mr. Siddiqui joined Burger King Corporation in 2013 and served various capacities within the Global Finance groups of Burger King Corporation prior to joining the Tim Hortons team. David Shear . Mr. Shear was appointed President International of RBI in January 2021. Mr. Shear previously served as President EMEA beginning in September 2016. Mr. Shear joined the predecessor of RBI in 2011, holding roles of increasing responsibility within Burger King U.S. marketing. He then held various roles in Asia Pacific, including serving as President of Burger King APAC from 2014 to 2016. Prior to joining Burger King, Mr. Shear worked at strategy consulting firm Charles River Associates. Duncan Fulton . Mr. Fulton was appointed Chief Corporate Officer of RBI, in June 2018, overseeing global communications, North American franchising, government relations and ESG initiatives. Mr. Fulton also serves as Chairman of the Board of Directors for the Tim Hortons Foundation. Prior to joining RBI, Mr. Fulton held several positions with Canadian Tire Corporation (CTC) from November 2009 to March 2018, including Senior Vice President of Corporate Affairs, Chief Marketing Officer for FGL Sports and Mark s Work Warehouse, and President of FGL Sports. Previously, Mr. Fulton was Senior Partner and General Manager of Fleishman-Hilliard from April 2002 to November 2009. Prior to his agency experience, Mr. Fulton served as a communication advisor and spokesman for several political leaders, including former Canadian Prime Minister Jean Chr tien, Ontario Premier Dalton McGuinty and New Brunswick Premier Frank McKenna. Jeff Housman. Mr. Housman was appointed Chief People & Services Officer of RBI in April 2021 and previously served as Chief Human Resources Officer beginning in February 2017 as well as Head of Global Business Services from January 2015 to January 2017. Mr. Housman joined Burger King in April 2013 serving in finance, real estate and business services roles. Prior to joining Burger King, Mr. Housman worked in investment banking at J.P. Morgan, and he holds an MBA from Columbia Business School and a Bachelor s in Business Administration from Emory University. Jill Granat. Ms. Granat was appointed General Counsel and Corporate Secretary of RBI in December 2014. Ms. Granat served as Senior Vice President, General Counsel and Secretary of Burger King Worldwide and its predecessor since February 2011. Prior to this time, Ms. Granat was Vice President and Assistant General Counsel of Burger King Corporation from July 2009 until February 2011. Ms. Granat joined Burger King Corporation in 1998 as a member of the legal department and served in positions of increasing responsibility with Burger King Corporation. Jacqueline Friesner. Ms. Friesner was appointed Controller and Chief Accounting Officer of RBI in December 2014. Ms. Friesner served as Vice President, Controller and Chief Accounting Officer of Burger King Worldwide and its predecessor from March 2011 until December 2014. Prior thereto, Ms. Friesner served in positions of increasing responsibility with Burger King Corporation. Before joining Burger King Corporation in October 2002, she was an audit manager at Pricewaterhouse Coopers in Miami, Florida. 26 Table of Contents

Company Information