Portillo's Inc. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Portillo’s Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 08:07:06 EST.

Filings

10-K filed on 2024-02-27

Portillo’s Inc. filed an 10-K at 2024-02-27 08:07:06 EST
Accession Number: 0001871509-24-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management Philosophy and Strategy As part of our overall risk management strategy, we have increased our attention to cybersecurity. Responsibility for cybersecurity risk management is a team effort, with day-to-day oversight and management from our executive and information technology (“IT”) teams, the Audit Committee taking a more active role in setting both proactive and reactive strategies and our Board overseeing our efforts and helping to guide our strategy. Our primary source of cybersecurity risk relates to security of our third-party service providers, whose activities and scale may present more desirable targets. However, we do maintain certain systems ourselves and appreciate the need to focus internally as well. We manage cybersecurity risk through a variety of tactics, including (i) the structure of our systems and platforms, (ii) the contractual terms with our third-party vendors, (iii) the proactive vulnerability assessments we conduct (or require our vendors to conduct), (iv) compliance with applicable regulations and continuous improvement around best practices, (v) mitigating user error and human vulnerabilities through training and guidance and (vi) the placement of cybersecurity insurance policies. We employ a Defense in Depth strategy to protect the Company, segmenting our systems and networks so that an attack on one segment does not allow for easier compromise of other systems and networks. Within the Company, administrative access to various systems is limited so that there is no universal access if an administrator-level account is compromised. We involve our IT team when negotiating contracts that could increase our cybersecurity risk exposure, so that the team is aware of the specific risks related to a given vendor and can provide feedback and advice on the contractual provisions necessary to prevent a cybersecurity incident, or in the Portillo’s Inc. Form 10-K | 16 Table of Contents event an incident does occur, to ensure that the Company has the necessary rights to act quickly to protect team members, guests, and our business and mitigate potential damage. We are continuously improving our processes and contract positions to reflect evolving risks and market practices. We appreciate the need to monitor and test our systems to make sure that they are working the way that they should. We negotiate with our vendors about a variety of monitoring, testing, and reporting provisions so that we can work with them to better address vulnerabilities. This may include sharing SOC 1 or 2 Type 2 audit reports, conducting periodic penetration and vulnerability testing and confirmation that vendors are adhering to applicable laws. We also deploy the same approach internally, and we are currently expanding our testing efforts across our servers and networks, continually monitoring access (including more formal quarterly access reviews for any systems that are subject to SOX oversight), and documenting changes via a ticketing system. In addition to tracking logins, our monitoring system is equipped to respond automatically to certain triggers, taking a range of actions, from notifying administrators to locking out an account. Some of this testing and monitoring is conducted in-house and some is conducted by third-party vendors. As a restaurant and public company, we are subject to Payment Card Industry Data Security Standards (“PCI-DSS”) and SOX requirements and we take steps to make sure that we are compliant with those regulations. We also continue to monitor evolving laws and regulations related to security and privacy and look for opportunities to improve our systems based on evolving best practices in the IT industry. We know that people are often the most vulnerable element in an IT ecosystem. We work with team members at all levels to educate them about evolving risks, from well-known tactics and scams (e.g., phishing) to their more sophisticated descendants (e.g., vphishing, spear phishing and smishing). Team members receive training on data security and privacy practices and are included in periodic awareness campaigns to test real-world responses. We are on the lookout for additional training opportunities and have recently begun scheduling tabletop exercises to test our PCI-related responses and creating new business interruption plans. The Company also employs and enforces a number of policies to guide team member behavior and help protect against threats, covering everything from regular password updates to obtaining permission to install third-party programs and use personal devices. Team member training reinforces the Company s risk management policies and procedures and the expectation that all team members will adhere to them. The Company also maintains a cybersecurity insurance policy that we believe is appropriate for a company of our size and risk profile, but it is possible that it may not fully cover the costs associated with a cybersecurity incident. We do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected our business strategy, results of operations or financial condition. However, there is no guarantee that a future cybersecurity incident would not materially affect our future strategy, results or financial condition. For a more in-depth discussion of risks associated with cybersecurity and cybersecurity insurance risks , see Item 1A, “Risk Factors.” Oversight and Execution of Our Cybersecurity Risk Strategy Both the Board and the Audit Committee play an important role in the Board s oversight of cybersecurity threats. The Audit Committee receives periodic updates on the Company s risk profile and mitigation strategies and conducts forward-looking discussions about major IT changes that are planned, the risks involved and the Company’s potential mitigation strategies. The Audit Committee shares updates with the broader Board. We presently have three Directors, Ann Bordelon, Chair of the Audit Committee, Paulette Dodson, and Noah Glass who have cybersecurity risk management experience and we continue to monitor whether supplemental experience may be useful as cybersecurity threats continue to evolve. Day to day management of cybersecurity risk sits with our Vice President of Information Technology ( ITVP ) and his team. As noted above, the team conducts risk assessment activities on a regular basis. The team also liaises with cross-functional partners and outside experts, including legal counsel and consultants, and reviews applicable security frameworks (e.g., National Institute of Standards and Technology (“NIST”)) to identify the legal requirements and industry practices and expectations that the Company s security measures should satisfy. The Company regularly updates its practices to incorporate new best practices and strengthen compliance with SOX, PCI-DSS and the Health Insurance Portability and Accountability Act requirements. These activities are used to develop and update the Company s cybersecurity risk profile. The team then identifies the potential mitigation measures to address these risks, and may bring in consultants as appropriate based on their expertise and knowledge of the Company to develop strategies that are tailored to the Company s needs and profile. These measures include business continuity plans (which are developed in connection with our risk management team and the users of a given platform), improving system redundancy to limit disruptions and eliminating single points of failure where possible. In addition to our ITVP, the cybersecurity portion of our IT team includes one dedicated team member and four additional team members who handle cybersecurity risks in addition to other job responsibilities. To address any gaps in the Company s collective expertise and to account for the ever-evolving nature of cybersecurity risks, the Company retains various consultants as noted above. The internal and external headcount, and the Portillo’s Inc. Form 10-K | 17 Table of Contents expertise of the employees and consultants, will change from time to time as we adapt to the changing cybersecurity environment. Our ITVP has over twelve years of experience in IT at Portillo’s, including managing cybersecurity risks. He reports to our Chief Financial Officer and updates her on a weekly basis. Our Chief Financial Officer discusses IT matters, including security, during weekly executive leadership meetings and may call upon the ITVP periodically to report directly to the team. Following these meetings, the ITVP works with his team to address any feedback received. Cybersecurity and privacy objectives are built into the ITVP s annual objectives and those of his team and his short-term incentive compensation reflects how successful he, the team and the Company are at accomplishing those objectives. Detecting and Responding to a Cybersecurity Incident As noted previously, both we and our vendors (to the extent contractually required) monitor systems for potential incidents. We are working with our vendors to determine the applicable warning flags and thresholds and appropriate notification processes based on the services provided and type of data processed. In the event of a cybersecurity incident, whether the attack is on the Company or on a third-party service provider, the IT team conducts an initial assessment to estimate the scope and potential impact of the attack. The team also identifies critical information yet to be determined. A cross-functional team meets about the results of the initial assessment, including the nature and scope of the attack, which Company functions are affected, the response from the service provider (if a third-party incident), both financial and non-financial measures of materiality, the expected duration of the incident, any open or unknown information, and the status of the Company s response. Following the initial briefing, depending on the seriousness of the incident, a cadence for updates and escalation is established and the cross-functional team continues to investigate, mitigate and resolve the incident, retaining outside counsel, forensic investigators and other consultants as needed. Priority is given to critical business functions/tasks/processes. Progress and developments are reported to more senior leadership based on the severity of the incident, up to and including the Board.

Company Information