Krispy Kreme, Inc. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Krispy Kreme, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:44:39 EST.

Filings

10-K filed on 2024-02-27

Krispy Kreme, Inc. filed an 10-K at 2024-02-27 16:44:39 EST
Accession Number: 0001857154-24-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have processes in place for assessing, identifying, and managing material risks from potential unauthorized occurrences on or through our electronic information systems that could adversely affect the confidentiality, integrity, or availability of our information systems or the information residing on those systems. These include a wide variety of mechanisms, controls, technologies, methods, systems, and other processes that are designed to prevent, detect, or mitigate data loss, theft, misuse, unauthorized access, or other security incidents or vulnerabilities affecting the data. The data include confidential, proprietary, and business and personal information that we collect, process, store, and transmit as part of our business, including on behalf of third parties. We also maintain a third-party security program to identify, prioritize, assess, mitigate and remediate third-party risks; however, we rely on the third parties we use to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful. As part of our risk management process, we conduct application security assessments, vulnerability management, penetration testing, security audits, and ongoing risk assessments. We also maintain a variety of incident response plans that are utilized when incidents are detected. Our incident response plans coordinate the activities that we and our third-party cybersecurity provider take to prepare to respond and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. We require employees with access to information systems, including all corporate employees, to undertake data protection and cybersecurity training and compliance programs periodically. Our systems periodically experience directed attacks intended to lead to interruptions and delays in our operations as well as loss, misuse or theft of personal information (of third parties, employees, and our members) and other data, confidential information, or intellectual property. Risk from cybersecurity threats, including relating to past incidents, have not materially affected our systems or business. Any significant disruption to our operations or access to our systems could adversely affect our business and results of operations. Further, a penetration of our systems or a third party s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation, and reputation risk, which could have a negative effect on our business, financial condition and results of operations. See “Risk Factors - Risks Related to Cybersecurity, Data Privacy, and Information Technology. The Chief Information Officer ( CIO ) leads our global information security organization responsible for overseeing the Company s information security program. Our CIO has over 25 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies. Team members who support our information security program have relevant educational and industry experience, including holding similar positions at large technology companies. The teams provide regular reports to senior management and other relevant teams on various cybersecurity threats, assessments, and findings. Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels, and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. The Audit Committee of the Board of Directors oversees our annual enterprise risk assessment, where we assess key risks within the Company, including security and technology risks and cybersecurity threats. The Audit Committee also oversees our cybersecurity risk and receives regular reports from our CIO on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance. 28 Table of Contents

Company Information