Driven Brands Holdings Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Driven Brands Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 08:08:08 EST.

Filings

10-K filed on 2024-02-28

Driven Brands Holdings Inc. filed an 10-K at 2024-02-28 08:08:08 EST
Accession Number: 0001804745-24-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We maintain a cybersecurity program that is reasonably designed to protect our information, and our customers information, from cybersecurity threats against us, our franchisees, our third-party vendors, and services providers, that may result in a material adverse effect on the confidentiality, integrity, and availability of our information systems. Governance Management Our Cybersecurity Team, led by our Chief Information Security Officer ( CISO ), is responsible for the implementation, monitoring, and maintenance of the cybersecurity and data protection practices across the Company. The CISO, in conjunction with a cross-functional team, regularly reviews risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. In addition to our internal cybersecurity capabilities, we also regularly engage consultants, and other third parties to assist with assessing, identifying, and managing cybersecurity risks and to participate in tabletop and other training exercises. Board of Directors Our Board of Directors, in coordination with its Audit Committee, oversees the Company s enterprise risk management process, including the management of risks arising from cybersecurity threats. The Audit Committee regularly receives reports and presentations from the CISO regarding cybersecurity. The CISO also reports to the Board at least annually on cybersecurity matters. We have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated within the Company and, where appropriate, are reported to the Board and/or Audit Committee. Risk Management and Strategy We employ a defense-in-depth approach with systems and processes designed to oversee, identify, and reduce the potential impact of a security incident against us or a third-party vendor or service provider. These include but are not limited to: Multi-factor Authentication, Privileged Account Management, Endpoint, Email and Cloud Security platforms, immutable backups, vulnerability scanning, third party risk assessments, and other applicable controls. Incident Response We have adopted a Cybersecurity Incident Response Plan (the IRP ) that applies in the event of a cybersecurity incident that provides a standardized framework for responding to cybersecurity incidents. The IRP sets out a coordinated approach to investigating, containing, documenting, and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate, and complying with application regulatory notifications and standards. In general, the IRP leverages the NIST Cybersecurity Framework and the Computer Security Incident Handling Guide (NIST SP 800-61) to guide practices in preparation; detection and analysis; containment, eradication and recovery; and post-incident remediation. The IRP applies to all Company personnel (including third-party contractors, vendors and partners) that perform functions or services require access to secure Company information, and to all devices and network services that are owned or managed by the Company. 36

Company Information