CARROLS RESTAURANT GROUP, INC. 10-K Cybersecurity GRC - 2024-03-08

Page last updated on April 11, 2024

CARROLS RESTAURANT GROUP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-08 16:07:23 EST.

Filings

10-K filed on 2024-03-08

CARROLS RESTAURANT GROUP, INC. filed an 10-K at 2024-03-08 16:07:23 EST
Accession Number: 0000809248-24-000048

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Managing cybersecurity risks and securing our sensitive data and systems are a critical part of our business operations and of paramount importance to our organization. Consequently, our cybersecurity risk management program is integrated into our overall enterprise risk management (ERM) program. We have developed and implemented a cybersecurity risk management program that leverages the Center for Internet Security Critical Security Controls framework (CIS CSC). As part of our cybersecurity risk management program, we use multiple internal and external systems and tools to help monitor, identify, assess and manage material risks from cybersecurity threats and protect the Company s data and systems. We also monitor various sources to identify risks including, but not limited to, data from government entities, security vendors, and industry sources. Our cybersecurity risk management program includes: We leverage third-party cybersecurity vendors to test our systems, identify previously undiscovered risks in the environment and validate existing cybersecurity controls. We maintain a process to oversee and identify risks from cybersecurity threats associated with our use of third-party vendors with access to our resources. We educate our users on cybersecurity prevention tactics through monthly security awareness training and ongoing phishing tests. Email is protected through multiple layers of security that cover all internal and external communication. We have a robust patching and remediation process for our systems. We use a managed risk service to help detect and prioritize vulnerabilities found in the environment and track them for remediation. We have a disaster recovery plan and controls designed to protect against business interruption, including multiple backups of our critical systems. We deploy technical safeguards designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, access controls, extended detection and response, and event monitoring. Cybersecurity Governance Our Board of Directors is responsible for oversight of risk management, including cybersecurity risks. The Audit Committee is updated quarterly on current cybersecurity events, metrics and other technology risks by our Chief Information Officer and Senior Director of Technical Operations & Security. The Audit Committee, in turn, provides the Board of Directors with updates regarding cybersecurity risks as it deems necessary or appropriate. Our Internal Cybersecurity Team is comprised of the Chief Information Officer, Senior Director of Technical Operations & Security, and Information Security Manager. This team is responsible for managing efforts to assess, detect, prevent, mitigate and remediate cybersecurity risks, threats and incidents. This team has combined experience of 70 years in Information Technology, with over 35 years in managing cybersecurity programs, and hold various cybersecurity certifications. In addition, this team meets monthly with the IT leadership team to review current risks and trends, along with monitoring ongoing cybersecurity metrics. While risks from cybersecurity threats have not materially affected our business strategy, results of operations or financial condition, a future cybersecurity incident could do so by, among other things, interrupting our operations, causing reputational harm and/or exposing us to litigation.

Company Information