Driven Brands Holdings Inc. 10-K Cybersecurity GRC - 2025-02-26

Page last updated on July 27, 2025

Driven Brands Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 16:30:47 EST.

Filings

10-K filed on 2025-02-26

Driven Brands Holdings Inc. filed a 10-K at 2025-02-26 16:30:47 EST
Accession Number: 0001804745-25-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We maintain a risk-based cybersecurity program designed to protect our information and our customers’ information from cybersecurity threats against us, our franchisees, our third-party vendors, and services providers, which may result in a material adverse effect on the confidentiality, integrity, and availability of our information systems. Cybersecurity Governance Management’s Role in Cybersecurity Risk Management At the management level, our cybersecurity team is led by our Chief Information Security Officer (“CISO”) , a certified information systems security professional with decades of experience in both the public and private sectors, who has led cybersecurity teams at large organizations and held leadership roles in information security and cybersecurity industry groups. Our CISO, in consultation with senior leadership and the Board of Directors, sets the strategic direction of our cybersecurity program across the Company and is responsible for implementing, monitoring, and maintaining it. The cybersecurity program includes processes related to the prevention, detection, mitigation, and remediation of cybersecurity threats. Our CISO is supported by a Cybersecurity Team of enterprise information system security and risk professionals. Our 36 CISO receives periodic reports on cybersecurity threats and regularly reviews risk management measures implemented by the Company to identify and mitigate cybersecurity risks. Board of Directors Oversight Our Board of Directors, in coordination with its Audit Committee, oversees the Company’s enterprise risk management process, including the management of risks arising from cybersecurity threats. Both the Board of Directors and the Audit Committee periodically review the measures we have implemented to identify and mitigate data protection and cybersecurity risks. The Audit Committee , as part of the governance and oversight of company risk management, also periodically receives reports and presentations from the CISO regarding the Company’s cybersecurity risk management. The Board receives reports of Audit Committee discussions regarding its oversight of cybersecurity risk. We have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated within the Company and, where appropriate, are reported to the Board and/or Audit Committee. Cybersecurity Risk Management and Strategy We employ a defense-in-depth approach for our cybersecurity program, with policies, systems, and processes designed to oversee, identify, prevent, and reduce the potential impact of a cybersecurity threat against us or a third-party vendor or service provider. These policies, systems and processes include but are not limited to: Multi-factor Authentication, Privileged Account Management, Endpoint, Email and Cloud Security platforms, immutable backups, vulnerability scanning, third-party risk assessments, and other applicable controls. Driven Brands’ risk management program for information security and cybersecurity aims to protect the confidentiality, integrity, and availability of our information assets. It is designed using people, processes, technologies, and capabilities, such as monitoring, alerting, scanning, testing, tabletop exercises, trainings, and assessments, to identify risks from cybersecurity threats, system vulnerabilities, or third-party service providers and vendors. The Company’s cybersecurity programs are updated regularly to align with emerging technical threats, such as those introduced through threat actors’ adoption of AI, changes in regulatory requirements, and industry best practices. In addition to our internal cybersecurity capabilities, we also engage consultants and other third-party service providers where appropriate to inform our understanding of cybersecurity risks and enable risk-based measures to defend against cybersecurity threats. Incident Response In addition to policies and processes designed to prevent and detect cybersecurity incidents, we have adopted a Cybersecurity Incident Response Plan (the “IRP”) that provides a standardized framework for responding to cybersecurity incidents. The IRP sets out a coordinated approach to investigating, responding to, containing, documenting, and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate, and complying with applicable regulatory notifications and standards. The IRP applies to Company personnel (including third-party contractors, vendors and partners) that perform functions or services that require access to secure Company information, and to applicable devices and network services. These processes include clear escalation paths to ensure that cybersecurity incidents that meet established reporting thresholds are escalated within the Company and, where appropriate, are reported to the Board of Directors and/or Audit Committee. Material Cybersecurity Risks, Threats and Incidents Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, to date have not materially affected the Company, including its business strategy, results of operations or financial condition. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A “Risk Factors” under the heading " Risks Related to Intellectual Property and Technology ," which should be read in conjunction with the foregoing information.

Company Information