Fat Brands, Inc 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

Fat Brands, Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 17:23:30 EDT.

Filings

10-K filed on 2024-03-12

Fat Brands, Inc filed an 10-K at 2024-03-12 17:23:30 EDT
Accession Number: 0001628280-24-010647

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Our business is substantially dependent upon our computer systems, devices and networks to collect, process and store the data necessary to conduct most aspects of our business. We have developed and maintain a cybersecurity program, which includes people, processes, and technology aimed at defending our computer systems, devices and networks against increasingly sophisticated threats. We recognize the importance of protecting both our information and operations from threats that could disrupt our business, put our assets at risk or compromise our customer and employee data. Our cybersecurity program is implemented and maintained using information security tools, policies and a dedicated team responsible for monitoring our networks, providing training to our employees, analyzing the evolution of new threats and strategies for mitigating such threats and seeking to continually harden our cybersecurity posture. The program is periodically exercised, reviewed, updated, and vetted through third-party audits, assessments, and tests with the goal of validating its effectiveness in reducing risk, as well as evaluating its compliance with legal and regulatory requirements. We assess, identify and manage our material risks from cybersecurity threats by employing the following: Identification of critical systems we seek to identify which operational or information technology, if compromised or exploited, would result in operational disruption or data compromise. We aim to protect the entire environment at an enterprise level where practical, combined with additional layered, risk-based controls designed to safeguard against cybersecurity threats. This strategic, defense-in-depth, and risk-based approach to cybersecurity provides a methodology designed to identify, protect, detect, respond, and recover from cybersecurity incidents. Network segmentation we use a combination of firewalls and routers to provide network segmentation seeking to provide us with network zone protection. Access controls we leverage several security capabilities to attempt to enforce access, authorization and authentication to relevant systems, technology, and controls. A least-privilege methodology is applied for localized client workstations, servers, and applications. Security capabilities for access control include physical, administrative, and technical controls that combine to provide a defense-in-depth approach designed to protect our cyber assets from unauthorized use. Continuous monitoring, detection, and auditing we employ various technologies, tactics, and procedures aimed to continuously monitor, baseline, and detect threats, and audit our network and systems. In addition, we use a combination of technology tools with outside managed security service providers designed to capture, analyze and respond to security anomalies. Patch management we use a network vulnerability scanning tool that continually scans, and reports identified vulnerabilities in servers and workstations in certain networks. Vulnerability scanner reports are used to drive patching and remediation efforts and are also used as a tool to evaluate the effectiveness of efforts to seek to ensure patches are applied timely. Application and infrastructure subject matter experts subscribe to various third-party vendor security 25 Table of Contents notifications to receive proactive notifications on, among other things, bugs, security flaws and mitigations, related to operational and information systems. The above cybersecurity risk management processes are integrated into our overall risk management program. Cybersecurity threats are understood to be wide reaching and to intersect with various other enterprise risks. In addition to assessing our own cybersecurity preparedness, we also consider cybersecurity risks associated with our use of third-party service providers based on the potential impact of a disruption of the services to our operations and the sensitivity of data shared with the service providers. We regularly engage independent third parties to periodically assess our cybersecurity posture. These assessments include penetration tests, purple team activities, health checks and point-specific technical cybersecurity assessments of key systems. Some of these assessments are performed with internal audit oversight and tested in regular intervals. Impact of Risks from Cybersecurity Threats As of the date of this Annual Report, we are not aware of any previous cybersecurity threats, including as a result of previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us. We acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cybersecurity attack will not occur. While we devote resources to our security measures designed to protect our systems and information, no security measure is infallible. See Item 1A. Risk Factors for additional information about the risks to our business associated with a breach or other compromise to our information and operational technology systems. Cybersecurity Governance Our Board of Directors oversees the execution of our cybersecurity strategy and the assessment of cybersecurity risks, along with the actions that we take seeking to mitigate and address those cybersecurity risks. Our Chief Information Officer (CIO) oversees our cybersecurity activities and leads our team of cybersecurity professionals responsible for our cybersecurity program and is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents as part of our cybersecurity programs. Our CIO and other cybersecurity professionals provide periodic updates regarding cybersecurity risks to our Cyber Incident Response Steering Committee and Board of Directors.

Company Information