CAVA GROUP, INC. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

CAVA GROUP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:45:29 EST.

Filings

10-K filed on 2024-02-27

CAVA GROUP, INC. filed an 10-K at 2024-02-27 16:45:29 EST
Accession Number: 0001628280-24-007277

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have developed a cybersecurity program that continuously evaluates material risks to our business and applies controls in an attempt to eliminate or mitigate them. Our key cybersecurity risks include, among others: brand and reputational damage, business disruption, regulatory and compliance risk, sensitive data loss, and reliance on third parties. We recognize cybersecurity as an enterprise risk, and accordingly cybersecurity risk has been integrated into our overall risk management process. As part of our overall enterprise risk management process, we have established our management-level Risk Committee, composed of our Chief Information Officer, Chief Legal Officer and Chief Financial Officer, among others, which assesses overall risks to the Company based on input from our other business leaders. We have also implemented an incident response process that is overseen by our Senior Director of Cybersecurity and supported by a multi-level incident response process led by our cybersecurity team. This is a documented framework that addresses our processes to assess, identify and manage material risks from cybersecurity threats and incidents, which are prioritized for response and remediation efforts. Our incident response process includes analysis of the impact of a cybersecurity threat or incident for materiality to ensure proper reporting. Our incident response process is continually enhanced and validated through tabletop exercises and engagements with third-party partners. We engage third parties and auditors to assess our cybersecurity program, including the use of select penetration testing and threat intelligence services, and to assist us in adopting and implementing best practices to improve our cybersecurity program. We have also retained third parties for cybersecurity incident response engagement in the event that a cybersecurity threat or incident requires capabilities beyond those of our own cybersecurity program. In addition, we have a third-party managed security operations center that provides 24/7 monitoring and alerting, threat intelligence, and posture recommendations. We are members of the Retail and Hospitality Information Sharing and Analysis Center, with more than 250 member companies from the retail, hospitality, and travel industries, which enables us to benchmark our cybersecurity risks, identify and adopt best practices for our cybersecurity program, subscribe to threat intelligence alerts, and contribute to the collective defense of our industries. We have a process to oversee and identify material risks from cybersecurity threats associated with the use of third-party service providers. We conduct a third-party risk assessment program through the use of assessment templates, surveys and contractual requirements that evaluates certain potential and current vendors in connection with our security standards. If, following an evaluation, a third-party s cybersecurity controls are assessed by us as inadequate based on risk, we work with our business partners to engage a replacement vendor and remediate or seek to reduce our exposure, if any. While we are subject to continuous cybersecurity threats and attacks like most companies, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our business 39 Table of Contents strategy, results of operations, or financial condition. However, as discussed more fully under Item 1A. Risk Factors, cybersecurity threats are continually evolving to become more sophisticated and there is a risk that we could experience compromise of our information technology systems and data. Accordingly, while we continue to make significant investment in physical and technological security measures, including third-party services designed to anticipate cyber-attacks and prevent breaches, we cannot provide assurance that we will be successful in adequately responding to, or preventing, cyber-attacks. We also maintain cybersecurity insurance that is regularly reviewed to assess whether there is appropriate coverage. Governance Role of the Board The Audit Committee of the Board of Directors is responsible for the primary oversight of strategic risk, including cybersecurity risk oversight. The Audit Committee receives regular reports on at least a quarterly basis from our cybersecurity team, led by our Chief Information Officer, typically on, among other things, our cybersecurity posture, cybersecurity benchmarking, potential cybersecurity vulnerabilities, and other cybersecurity interest items such as the external cybersecurity environment, items requiring Audit Committee input, and our broader cybersecurity program roadmap, in order to monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents. The Audit Committee regularly reports to the full Board of Directors regarding its activities, including those related to cybersecurity. Role of Management We have established a management-level Risk Committee, that is led by the Chief Legal Officer, and also includes the Chief Information Officer and Chief Financial Officer, as well as certain of their respective Team Members. The Risk Committee meets on at least a quarterly basis to review enterprise risks, including with respect to cybersecurity, as applicable. Enterprise risks, including cybersecurity risk, are briefed to the Audit Committee on at least a quarterly basis by our Chief Legal Officer in coordination with the Senior Director of Cybersecurity and Chief Financial Officer, or through general updates. In addition, our cybersecurity team, led by the Chief Information Officer, works cross functionally with our legal and other business functions to provide cybersecurity training and, as appropriate, manage cybersecurity risks and incidents. Our Chief Information Officer and our Senior Director of Cybersecurity each have more than two decades of experience in technology and cybersecurity. The cybersecurity team has related academic degrees, multiple certifications, and real-world experience managing cybersecurity incidents and risks and is responsible for building out the materials for review by leadership.

Company Information