PAPA JOHNS INTERNATIONAL INC 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

PAPA JOHNS INTERNATIONAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 07:03:20 EST.

Filings

10-K filed on 2026-02-26

PAPA JOHNS INTERNATIONAL INC filed a 10-K at 2026-02-26 07:03:20 EST
Accession Number: 0001628280-26-011965

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Papa Johns' cybersecurity program includes a defense-in-depth model that utilizes a variety of techniques and tools for protecting against, detecting, responding to, and recovering from cybersecurity incidents. Our cybersecurity program is designed to prioritize detection, analysis and response to known and anticipated cyber threats, effective management of cyber risks, and resilience against cybersecurity incidents. Our program leverages industry frameworks, including the Payment Card Industry (PCI) Standards and the Center for Internet Security (CIS) security framework. 23 Cybersecurity Governance Board Governance The Audit Committee provides oversight of our cybersecurity program, which includes annual and periodic reviews of our cybersecurity program and cybersecurity risks. As part of its oversight responsibility, and pursuant to its charter, the Audit Committee reviews with management, including the Cyber Oversight Group, a cross-functional management team, and reports to the full Board with respect to significant cybersecurity matters, risks and risk management strategies, and management's actions to monitor and address identified issues. The Internal Audit team also meets periodically with the VP, Information Security and Compliance officer along with key IT leadership to discuss open cyber or data security risks. The Audit Committee receives updates from the Company's Chief Digital and Technology Officer ("CDTO"), VP, Information Security and Compliance, and/or members of our executive leadership team. Management also reports to the full Board at least annually regarding a comprehensive overview and status of the Company's information security program. The Audit Committee is also apprised of cybersecurity incidents consistent with the provisions of our cybersecurity incident response plan ("IRP") pertaining to escalation of more significant cybersecurity incidents. Management Governance The controls and processes employed to assess, identify, and manage material risks from cybersecurity threats are implemented and overseen by our Cyber Oversight Group, led by our CDTO and VP, Information Security and Compliance. Our CDTO has decades of experience as Chief Technology Officer with multiple companies, and significant expertise in enterprise architecture, engineering, analytics, and digital technology. In addition, our VP, Information Security and Compliance has over 20 years of experience as a Chief Information Security Officer in multiple industries and has received Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Control (CRISC) certifications. Our CDTO and VP, Information Security and Compliance are responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, and response to cybersecurity threats and incidents and are regularly engaged to help ensure the cybersecurity program functions effectively in the face of evolving cybersecurity threats. Members of our Cyber Oversight Group also include our Chief Executive Officer, Chief Financial Officer & President of North America, Chief Administrative Officer, VP of International Technology, a representative from Internal Audit, and technology and data privacy in-house counsel . The Cyber Oversight Group is also tasked with reporting to the Audit Committee on cybersecurity risk management strategies, as well as any significant cybersecurity incidents that may occur. In addition, the Cyber Oversight Group meets at least four times per year, or with greater frequency as necessary, to, without limitation: - review with management the Company's cybersecurity threat landscape, risks, and data security programs, and the Company's management and mitigation of cybersecurity risks and incidents; - review with management the Company's compliance with applicable information security and data protection laws, regulatory compliance requirements, and industry standards; - discuss with management the Company's cybersecurity, technology and information systems policies as to risk assessment and risk management, including the guidelines and policies established by the Company to assess, monitor, and mitigate the Company's significant cybersecurity, technology and information systems related risk exposures; and - review and provide oversight on the Company's crisis preparedness with respect to cybersecurity, technology and information systems, including cybersecurity incident response preparedness, communication plans, and disaster recovery capabilities. Processes for Assessing, Identifying, and Managing Material Risks from Cybersecurity Threats Our Cyber Oversight Group utilizes the IRP to: (1) prepare for and protect against cybersecurity incidents; (2) identify and analyze cybersecurity incidents; and (3) contain, eradicate, and help ensure appropriate reporting of cybersecurity events in accordance with our regulatory obligations. In the event of a cybersecurity incident, the IRP provides a framework to coordinate the response. The IRP also addresses escalation protocols to senior management, responsibility with respect to disclosure determinations, and provides for Audit Committee and Board briefings as appropriate. We also manage threats to our systems originating or associated with third-party service providers by integrating cybersecurity requirements and other related obligations into various contracts . Using a comprehensive third-party risk management process, we complete 24 vendor intake evaluations, perform ongoing cyber risk monitoring of our critical technology vendors, and deploy other risk management strategies to evaluate and help mitigate risk associated with our third-party service providers. Vulnerabilities and risks identified for our third-party vendors are handled through ongoing scanning and reviews. We employ a variety of measures to prepare for and protect against, detect, contain, and eradicate cybersecurity incidents and threats. The preparatory and protective measures we have in place include, without limitation, password protection, multi-factor authentication, internal and external penetration testing, maturity assessments, industry benchmarking, and annual cybersecurity awareness trainings for our employees as well as social engineering awareness simulations. The security operations program includes an outsourced managed security detection and response service, augmenting the internal security staff with additional third-party dedicated staff and an expert security advisor. We have relationships with a number of well-established third-party service providers to assist with cybersecurity incident response, containment, and remediation efforts. We also maintain cybersecurity insurance providing coverage for certain costs related to cybersecurity incidents that impact our own systems, networks, and technology. While we maintain a robust cybersecurity program, the techniques used to attack or impact information technology systems continue to evolve. Accordingly, we may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, see "Item 1A-Risk Factors." Cybersecurity Risks We are currently not aware of any material cybersecurity incidents, including third-party incidents, or threats that have impacted the Company or our business, financial condition, results of operations, employees, or customers in the past three years. However, we and our customers routinely face risks of cybersecurity incidents, wholly or partially beyond our control, as we rely heavily on our information technology systems, including digital ordering solutions through which more than 85% of our domestic sales originate. Although we make efforts to maintain the security and integrity of our information technology systems, these systems and the proprietary, confidential internal and customer information that resides on or is transmitted through them, are subject to the risk of a cybersecurity incident or disruption, and there can be no assurance that our security efforts and measures, and those of our third-party providers, will prevent breakdowns or incidents affecting our or our third party providers' databases or systems that could adversely affect our business. For a discussion of these risks, see "Item 1A-Risk Factors-Information Technology and Cybersecurity Risks-Disruptions of our critical business or information technology systems could harm our ability to compete and conduct our business" and "-Failure to maintain the integrity of internal or customer data could result in damage to our reputation, loss of sales, and/or subject us to litigation, penalties or significant costs."

Company Information