Texas Roadhouse, Inc. 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

Texas Roadhouse, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 11:25:35 EST.

Filings

10-K filed on 2024-02-23

Texas Roadhouse, Inc. filed an 10-K at 2024-02-23 11:25:35 EST
Accession Number: 0001558370-24-001595

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy In the course of our operations, the Company receives and maintains sensitive information from our guests, employees, partners and business operations. T o address cybersecurity threats to this information, the Company uses a risk-based approach to create and implement a detailed set of information security policies and procedures based on frameworks established by the National Institute of Standards and Technology. The Company s Head of Information Security leads the Company s cybersecurity efforts under the direct oversight of our Chief Technology Officer. Together, these individuals have over 50 years of experience involving information technology, including security, auditing, compliance, systems and programming. Additionally, the Company engages in the use of external cybersecurity experts for training, contingency planning, consultation and process documentation. The Company has implemented detective and preventative controls designed to ensure the appropriate level of protection for the confidentiality, integrity and availability of data stored on or transferred through our information technology resources. The Company has a risk assessment process to identify risks associated with our use of third-party service providers and has implemented specific processes and controls designed to mitigate those identified risks. Both internal and third-party audits are performed routinely to verify that these controls are effective. Additionally, the Company has implemented trainings designed to provide best practices for protecting our network and systems, and also routinely leads exercises for employees to reinforce the risk and proper handling of targeted emails. The Company s Head of Information Security is responsible for developing and implementing these controls and training exercises with support from our information technology department. The Company s enterprise risk management program has established an internal risk committee to evaluate information governance risks. This committee comprises members of management of the Company s information technology, human resources, marketing, accounting, risk, procurement, training, finance and legal functions, and is focused on performing risk assessments to identify areas of concern and implement appropriate changes to enhance its 30 Table of Contents cybersecurity and privacy policies and procedures. The internal risk committee is informed of the Company s risk prevention and mitigation efforts on a regular basis. The committee is also briefed on detection and remediation of cybersecurity incidents in a timely manner following the detection of any potential events. The Company has a crisis response team comprising senior members of various corporate functions to oversee the response to various crises including potential crises arising from cybersecurity incidents that may impact the Company and/or its vendor partners. This team conducts regular tabletop exercises to simulate responses to cybersecurity incidents. To the extent there is a cybersecurity incident impacting the Company and/or a vendor partner, the crisis response team s process would be to ensure that our Head of Information Security and Chief Technology Officer are informed immediately and that the potential impact of the incident and remedial measures arising from the incident are communicated to the executive officers of the Company. There can be no guarantee that our policies and procedures will be effective. Although our risk factors include further detail about the material cybersecurity risks we face and how a cybersecurity incident may affect our business strategy, results of operations or financial condition, we believe that risks from prior cybersecurity threats, including as a result of any previous cybersecurity incident, have not materially affected our business to date. We can provide no assurances that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations or financial condition. Governance The Board has authorized the audit committee to oversee the Company s risk assessment and risk management practices and strategies. This delegation includes maintaining responsibility for overseeing the Company s enterprise risk management program. As a part of this oversight role, the audit committee receives regular updates from management on cybersecurity and privacy risks impacting the Company, which includes benchmarking these risks versus our industry. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events, receive training specific to cybersecurity risks and threats and regularly discuss any updates to our cybersecurity risk management and strategy programs. 31 Table of Contents

Company Information