Bloomin' Brands, Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Bloomin’ Brands, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 08:04:22 EST.

Filings

10-K filed on 2024-02-28

Bloomin’ Brands, Inc. filed an 10-K at 2024-02-28 08:04:22 EST
Accession Number: 0001546417-24-000037

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We maintain a risk-based, defense-in-depth approach to cybersecurity and data protection. We assess industry best practices and standards and endeavor to leverage them in our efforts to manage cybersecurity risk. We dedicate resources and apply security controls where we believe they would be most effective to predict, prevent, detect and respond to potential security threats to our highest value information assets, which we consider to be point-of-sale systems, financial systems and confidential, personal and private customer and employee information. We use multiple safeguards to protect our internal networks and systems, including, among others, firewalls, email protection and web filtering, endpoint detection and response software, controlled access to our data and systems, 30 Table of Contents BLOOMIN BRANDS, INC. segmenting our card data environment, vulnerability management and patching, and performing regular penetration testing. A risk assessment, based on the National Institute of Standards and Technology Framework, is conducted and maintained throughout the system development lifecycle and is reviewed at least annually. We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities, and we investigate security incidents that have impacted our third-party providers, as appropriate. As part of our information security training program, employees and contractors participate in various cybersecurity awareness activities, including formal training exercises and simulated phishing events. We also contract with third-party cybersecurity firms to conduct simulated cyberattacks and perform regular penetration testing to assess the effectiveness of our security measures. We have also engaged with external subject matter experts to assess access management, information technology asset management and our cybersecurity policies. We have company-wide business continuity and disaster recovery plans used to prepare for multiple events, including a potential disruption in the technology on which we rely. We maintain incident response plans and playbooks to prepare for various contingencies and types of incidents. The cybersecurity incident response plan ( IRP ) includes immediate actions to mitigate and contain the short-term impact of an incident, and long-term strategies for remediation and prevention of future incidents. The IRP also includes policies that dictate escalation procedures and remediation plans based on the severity level of an incident. As part of our IRP, we consider engaging third-party cybersecurity firms to assist in the event of a significant incident. We also conduct tabletop exercises to enhance incident response preparedness. We, like others in our industry, experience cybersecurity incidents and attempts to access our systems. In the event we experience an incident, we classify it based on its significance and track remediation actions and outcomes. Although we do not believe we have been materially affected by cybersecurity incidents or threats in the past, we cannot provide any assurance that we will not experience a material incident in the future. As described above, we utilize a risk-based approach to manage cybersecurity risk and it is possible we may not implement appropriate controls if we do not recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate risks. See Item 1A. Risk Factors for additional discussion of our cybersecurity risks. Governance Our Board of Directors (our Board ) has charged the Audit Committee with oversight of the Company s identification, assessment and management of cybersecurity and data privacy risks. As part of its oversight of our enterprise risk management program, the Audit Committee periodically reviews and prioritizes key risks facing our Company, including cybersecurity risk. The Audit Committee receives quarterly updates from our head of information security and our Chief Technology Officer ( CTO ) regarding our cybersecurity program and actions taken to manage cybersecurity risk, which include risk identification and management strategies, consumer data protection, security programs, ongoing risk mitigation activities and results of third-party assessments and testing. We maintain a dedicated cybersecurity department, which consists exclusively of Company employees, within our broader information technology department. Functions within this department range from new information technology solution design and implementation, vulnerability management, phishing awareness, threat detection, Payment Card Industry compliance and incident response. Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the head of information security, who has over 25 years of experience in the field of cybersecurity, including prior service in the military in cybersecurity roles, and relevant industry certifications commensurate with his role. Our head of information security reports directly to the CTO who has over 20 years of restaurant technology experience. 31 Table of Contents BLOOMIN BRANDS, INC. Our CTO receives status reports from our cybersecurity department regularly and reports to our Chief Executive Officer, who receives updates on incidents, trends, projects and other relevant information regularly. In addition, as part of our incident response planning, we maintain cross-functional response teams to be prepared to respond to an incident.

Company Information