CHEESECAKE FACTORY INC 10-K Cybersecurity GRC - 2024-02-26

Page last updated on April 11, 2024

CHEESECAKE FACTORY INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 17:00:56 EST.

Filings

10-K filed on 2024-02-26

CHEESECAKE FACTORY INC filed an 10-K at 2024-02-26 17:00:56 EST
Accession Number: 0001104659-24-027565

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program includes a cybersecurity incident response plan. We design and assess our program generally based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). Although our program may not meet the technical requirements of the NIST CSF, we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Additionally, as we accept credit cards as a form of payment, we consider the requirements of the Payment Card Industry Data Security Standards (PCI DSS) in relation to our program. Our cybersecurity risk management program includes: risk assessments designed to help identify material cybersecurity risks to our critical systems, information, and our broader enterprise information technology environment, including, by regularly scanning our environment for vulnerabilities, performing penetration testing and engaging third parties to assess the effectiveness of our technical cybersecurity practices. a multi-disciplinary security team overseen by our Information Security Council, principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls, including, third-party network security reviews, scans, and audits, on at least an annual basis; the use of a third-party Managed Security Service Provider (MSSP) that includes a 24x7 security operations center (SOC) that is designed to monitor and analyze suspected suspicious activity on our internal network and remediate or escalate activity as appropriate; regular cybersecurity awareness training for employees with access to our information systems, incident response personnel, and senior management; a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; a disaster recovery plan and controls designed to protect against business interruption, including by backing up our critical systems; use of end-to-end encryption and tokenization technology, a public key infrastructure, designed to ensure that only trusted devices can access our enterprise information technology network, and Intrusion Detection and Intrusion Prevention (IDS/IPS) that scans data in transit to help detect and prevent the execution of harmful code; and a third-party risk management process for service providers, suppliers, and vendors who have access to our information systems. 36 Table of Contents There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or are effective in protecting our systems and information. We are not currently aware of risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Cybersecurity Governance Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee (Committee) oversight of steps the Company has taken to monitor or mitigate significant cybersecurity risks. The Committee receives regular reports from management on our cybersecurity risks. In addition, management updates the Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential. The Committee reports to the full Board of Directors regarding its activities, including those related to cybersecurity. The full Board of Directors also receives briefings from management on our cyber risk management program. Board of Directors members receive presentations on cybersecurity topics from our Chief Information Officer (CIO), internal security staff and/or external experts, as appropriate, as part of the Board of Directors continuing education. Our management formed an interdepartmental Information Security Council (ISC), comprised of senior executives from multiple disciplines, including our CIO and Vice President of Infrastructure Services, to assess and manage our material risks from cybersecurity threats. The ISC has primary responsibility for our overall cybersecurity risk management program. Our CIO, Vice President of Infrastructure Services, and others within our Information Technology department supervise both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our CIO and Vice President of Infrastructure Services have a combined 50+ years of experience in information technology, with increasing oversight of cybersecurity responsibilities over the past 20+ years. Our management teams, including the ISC, our CIO, Vice President of Infrastructure Services, and others within our Information Technology department, as appropriate, supervise efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the information technology environment.

Company Information