Restaurant Brands International Inc. 10-K Cybersecurity GRC - 2026-02-20

Page last updated on February 20, 2026

Restaurant Brands International Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-20 15:40:21 EST.

Filings

10-K filed on 2026-02-20

Restaurant Brands International Inc. filed a 10-K at 2026-02-20 15:40:21 EST
Accession Number: 0001618756-26-000017

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risk management and strategy We recognize the critical importance of maintaining the trust and confidence of our guests, franchisees, and employees. Consequently, our cybersecurity policies, standards, processes, and practices are embedded within our overall enterprise risk management ("ERM") program. We have an ongoing cybersecurity risk mitigation program, which includes maintaining up-to-date detection, prevention, and monitoring systems and contracting with outside cybersecurity firms to provide continuous monitoring of our systems as well as threat-detection services. We define a cybersecurity threat as any potential unauthorized occurrence on or conducted through our information systems or information systems of a third party that we utilize in our business that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. Our cybersecurity policies, standards, processes, and practices are based on recognized frameworks established by the National Institute of Standards and Technology and include the following components: - Collaborative Approach. We have implemented a comprehensive, cross-functional approach to identifying, preventing, and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. - Deployment of Technical Safeguards. We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. - Development and Periodic Testing of Incident Response and Recovery Planning. We have developed and maintain comprehensive incident response and recovery plans that address our response to cybersecurity threats, and such plans are tested and evaluated on a regular basis. Our periodic testing of these plans includes a wide range of activities, including assessments, audits, tabletop exercises, threat modeling, vulnerability testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits, and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits, and reviews are reported to the Audit Committee, and we adjust cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, audits, and reviews. - Third-Party Risk Management. We maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers, franchisees, and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. - Implementation of Regular and Mandatory Employee Training and Awareness Programs. We provide regular, mandatory training for our personnel regarding cybersecurity threats as a means to equip them with effective tools to detect and address cybersecurity threats and to communicate our evolving information security policies, standards, processes, and practices. Governance Our Audit Committee oversees our ERM program, including the management of risks arising from cybersecurity threats. The Audit Committee regularly receives presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security considerations arising with respect to our peers and third parties. Our Internal Audit function performs periodic audits of our cybersecurity program and reports results to the Audit Committee. On a periodic basis, the Audit Committee discusses our approach to cybersecurity risk management with our Chief Information Security Officer ("CISO") . We have a dedicated team of cybersecurity specialists, led by our CISO, who works in coordination with our senior management and leaders at each of our brands to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. Our CISO has been serving in various technology leadership roles, spanning IT infrastructure, application development, and enterprise cybersecurity across complex and highly regulated environments for over 28 years as of December 31, 2025, and holds a CISSP certification. We also use a Managed Security Service Provider (MSSP) to provide continuous monitoring of our systems and supplement our internal security team. While prior cybersecurity incidents have not had a material impact on our business strategy, operating results, or financial condition, the evolving threat landscape presents ongoing risk. Future cybersecurity events could disrupt operations, adversely affect our reputation, increase operating and remediation costs, and expose the organization to regulatory scrutiny or litigation. Additional information regarding cybersecurity-related risks is discussed in the section titled "Risk Factors - Risks Related to Information Technology." Executive Officers of the Registrant Set forth below is certain information about our executive officers as of February 20, 2026. Patrick Doyle. Mr. Doyle, age 62, has served as Executive Chair of our Board since January 2023 and was appointed Executive Chairman of RBI in November 2022. Most recently, he served as an executive partner focused on the consumer sector of the Carlyle Group, a global diversified investment firm from September 2019 through November 2022. Prior to that, he served as the chief executive officer of Domino's Pizza from March 2010 to June 2018, having served as president from 2007 to 2010, as executive vice president of Domino's Team USA from 2004 to 2007, and as executive vice president of Domino's International from 1999 to 2004. Joshua Kobza. Mr. Kobza, age 39, was appointed Chief Executive Officer of RBI in March 2023. Prior to that, Mr. Kobza served as Chief Operating Officer of RBI from January 2019 to March 2023, as Chief Technology and Development Officer of RBI from January 2018 to January 2019, and as Chief Financial Officer of RBI from December 2014 to January 2018. From April 2013 to December 2014, Mr. Kobza served as Executive Vice President and Chief Financial Officer of Burger King Worldwide. Mr. Kobza joined Burger King Worldwide in June 2012 as Director, Investor Relations, and he was promoted to Senior Vice President, Global Finance in December 2012. Sami Siddiqui. Mr. Siddiqui, age 41, was appointed Chief Financial Officer of RBI in March 2024. Prior to that, he served as President, Popeyes U.S. & Canada from September 2020, as President of Asia Pacific for RBI from February 2019 to September 2020 and as Chief Financial Officer for Burger King Corporation from October 2018 to February 2019. From September 2016 to September 2018, he was President of Tim Hortons and from April 2015 to September 2016, he was Executive Vice President, Finance for Tim Hortons. Mr. Siddiqui joined Burger King Corporation in 2013 and served various capacities within the Global Finance groups of Burger King Corporation prior to joining the Tim Hortons team. Prior to that, he worked in the Private Equity Group at Blackstone. Axel Schwan. Mr. Schwan, age 52, was appointed as President, Tim Hortons Canada & U.S. in October 2019 after serving as Global Chief Marketing Officer for Tim Hortons since October 2017. Mr. Schwan first joined RBI as Marketing Director, Germany, Austria, and Switzerland in 2011 and was then appointed as Vice President, Marketing and Communications, EMEA for Burger King before advancing to the role of Global Chief Marketing Officer for the brand in January 2014. Prior to joining RBI, Mr. Schwan led the Schwan family restaurant business, alongside his sister, and worked in various marketing roles at Unilever and Danone in Germany. Tom Curtis. Mr. Curtis, age 62, was appointed President, Burger King U.S. & Canada in October 2021. From May 2021 to October 2021, he was the Chief Operating Officer, where he was responsible for overseeing field operations, restaurant development, and restaurant operations. Prior to joining BKC, Mr. Curtis spent 35-years at Domino's Pizza, Inc., where he most recently served as Executive Vice President, U.S. Operations and Global Operations Support, overseeing both franchise and company-owned operations from March 2020 to April 2021. Prior to that, he served as Executive Vice President, Corporate Operations from July 2018 to March 2020, and as Vice President of Franchise Relations and Operations Innovation from March 2017 to July 2018. Mr. Curtis joined Domino's in 2006, after being a Domino's franchisee since 1987. Peter Perdue. Mr. Perdue, age 35, was appointed President of Popeyes U.S. & Canada in November 2025 after serving as the Chief Operating Officer of Burger King U.S. & Canada since June 2023. Mr. Perdue has been with RBI since 2013, and his experience spans operations, franchising, and finance, including leadership as Vice President, Finance for Burger King U.S. & Canada and Regional Vice President for Burger King in the Asia Pacific region. Thiago Santelmo. Mr. Santelmo, age 41, was appointed President, International of Restaurant Brands International in March 2024. He previously served as President, EMEA starting in February 2022 and prior to that was President of the Latin America and Caribbean region. Mr. Santelmo has been with RBI since 2013, holding strategic roles including Head of Finance & Business Development, EMEA. Prior to joining RBI, he worked at McKinsey & Company. Duncan Fulton . Mr. Fulton, age 50, was appointed Chief Corporate Officer of RBI, in June 2018, overseeing global communications, North American franchising, government relations, and ESG initiatives. Mr. Fulton also serves as Chairman of the board of directors for the Tim Hortons Foundation. Prior to joining RBI, Mr. Fulton held several positions with Canadian Tire Corporation (CTC) from November 2009 to March 2018, including Senior Vice President of Corporate Affairs, Chief Marketing Officer for FGL Sports and Mark's Work Warehouse, and President of FGL Sports. Previously, Mr. Fulton was Senior Partner and General Manager of Fleishman-Hilliard from April 2002 to November 2009. Prior to his agency experience, Mr. Fulton served as a communication advisor and spokesman for several political leaders, including former Canadian Prime Minister Jean Chrétien, Ontario Premier Dalton McGuinty, and New Brunswick Premier Frank McKenna. Jeff Housman. Mr. Housman, age 44, was appointed Chief People & Services Officer of RBI in April 2021 and previously served as Chief Human Resources Officer beginning in February 2017 as well as Head of Global Business Services from January 2015 to January 2017. Mr. Housman joined Burger King in April 2013, serving in finance, real estate, and business services roles. Prior to joining Burger King, Mr. Housman worked in investment banking at J.P. Morgan. Jill Granat. Ms. Granat, age 60, was appointed General Counsel and Corporate Secretary of RBI in December 2014. Ms. Granat served as Senior Vice President, General Counsel and Secretary of Burger King Worldwide and its predecessor since February 2011. Prior to this time, Ms. Granat was Vice President and Assistant General Counsel of Burger King Corporation from July 2009 until February 2011. Ms. Granat joined Burger King Corporation in 1998 as a member of the legal department and served in positions of increasing responsibility with Burger King Corporation. Jacqueline Friesner. Ms. Friesner, age 53, was appointed Controller and Chief Accounting Officer of RBI in December 2014. Prior to that time, Ms. Friesner served in positions of increasing responsibility with Burger King Corporation after joining in October 2002. Previous to Burger King Corporation, she was an audit manager at PricewaterhouseCoopers in Miami, Florida.

Company Information