Sprouts Farmers Market, Inc. 10-K Cybersecurity GRC - 2026-02-19

Page last updated on February 19, 2026

Sprouts Farmers Market, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-19 16:08:24 EST.

Filings

10-K filed on 2026-02-19

Sprouts Farmers Market, Inc. filed a 10-K at 2026-02-19 16:08:24 EST
Accession Number: 0001575515-26-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C . Cybersecurity Cybersecurity is important to our operations. We are susceptible to significant and persistent cybersecurity threats, including data breaches, ransomware, and phishing attacks. These threats, which are constantly evolving, include attempts by malicious actors to breach our security and compromise our information technology systems, as well as those of our vendors and suppliers. A cybersecurity incident impacting us or any third party could disrupt operations, damage our reputation, and result in costly litigation and/or government enforcement action. We seek to maintain robust cybersecurity and data protection practices and continuously evaluate cybersecurity threats, considering their immediate and long-term effects on our business strategy, operations, and financial condition. Under the oversight of our Board of Directors, and the Board's risk committee, our management has established comprehensive processes for identifying, assessing, and managing material risks from cybersecurity threats. These processes are integrated into our enterprise risk management program and may include measures such as threat monitoring and detection, periodic testing, access controls, and team member training. Our cybersecurity risk management processes are informed by recognized standards such as the NIST Cybersecurity Framework. Our detailed incident response plan outlines steps for detection, assessment, notification, and recovery, including escalation to management, the Risk Committee, and the Board when appropriate. The risk committee of our Board, chaired by a director with extensive cybersecurity expertise, receives quarterly updates from management on cybersecurity risks and incidents, including those with moderate or higher impacts. Management updates the full board regularly to support alignment on mitigation strategies. Our Chief Technology Officer , with more than 35 years of IT experience, oversees our cybersecurity efforts and is supported by our internal information security team and external consultants. Our third-party vendors and service providers are integral to our operations but pose unique cybersecurity challenges due to their access to our data and systems and our reliance on them for certain critical operations, including supply chain management. To address these risks, we maintain a third-party vendor risk management program that includes pre-onboarding due diligence, periodic assessments, and ongoing monitoring for critical vendors and other vendors based on risk. We also assess certain critical vendors' supply chain security practices to help manage risks associated with subcontractors. As of the date of this report, no cybersecurity incidents have had a material adverse effect on our business, financial condition, or results of operations. However, we recognize that no system is immune to breaches. While we maintain cyber insurance coverage for certain risks, such as ransomware attacks and business interruption, the costs of certain incidents could exceed policy limits. We evaluate and deploy technology enhancements, which may include threat detection capabilities, to strengthen our defenses against evolving threats. See Item 1A. "Risk Factors - Disruptions to, security breaches or non-compliance involving our information technology systems could harm our ability to run our business and expose us to potential liability and loss of revenues" for additional discussion of cybersecurity risks that may materially impact us.

Company Information