Krispy Kreme, Inc. 10-K Item 1C. Cybersecurity - 2026-03-06
Krispy Kreme, Inc. disclosed their cybersecurity strategy, risk management and governance process in an annual SEC Filing 10-K filing on 2026-03-06 16:26:30 EST
Company Summary
Krispy Kreme, Inc. is a global omni-channel sweet-treat retailer that produces and sells fresh doughnuts (notably the Original Glazed) through Company-owned and franchised Doughnut Shops, Delivered Fresh Daily cabinets in grocery/convenience/retail partners, and digital/delivery channels using a Hub and Spoke production model.
Filings
10-K filed on 2026-03-06
Krispy Kreme, Inc. filed an SEC Filing 10-K filing on 2026-03-06 16:26:30 EST.
Accession Number: 0001857154-26-000015
Item 1C. Cybersecurity
Item 1C - Cybersecurity
Item 1C. Cybersecurity
Risk Management and Strategy
We have processes in place for assessing, identifying, and managing material risks from unauthorized occurrences on or through our electronic information systems that could adversely affect the confidentiality, integrity, or availability of our information systems or the information residing on those systems. These include a wide variety of mechanisms, controls, technologies, methods, systems, and other processes that are designed to prevent, detect, or mitigate data loss, theft, misuse, unauthorized access, or other security incidents or vulnerabilities. In addition, we engage with independent third-party partners, including cybersecurity assessors, consultants, and auditors, to assess and consult on our cybersecurity capabilities, prioritize areas of risk, and assist with execution of our risk management and strategic plans. Our collaboration with these third parties includes audits, threat assessments, and consultation on security enhancements. In an effort to mitigate data or security incidents that may originate from third-party suppliers, we also identify, prioritize, assess, and address third-party risks; however, we rely on the third parties we use to implement security programs commensurate with their risk, and we cannot ensure that their efforts will be successful.
As part of our risk management process, we conduct application security assessments, vulnerability management, penetration testing, security audits, and risk assessments. We provide cybersecurity awareness training to employees with access to information systems, including corporate employees. We also maintain an incident response plan. Our incident response plan outlines the process for our coordination with our third-party cybersecurity providers to respond to and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with applicable legal obligations and mitigate brand and reputational damage. In addition, our incident response plan includes actions designed to enhance processes and responsiveness to address future incidents. We continue to strengthen our systems, cybersecurity training, policies, programs, response plan, and other similar measures.
As previously disclosed, during fiscal 2024 unauthorized activity on a portion of our information technology systems resulted in the Company experiencing certain operational disruptions (the "2024 Cybersecurity Incident"). The incident materially affected the Company's business operations and results of operations. For more information, see "Management's Discussion and Analysis of Financial Condition and Results of Operations" included in Item 7 of Part II of this Annual Report. As of the date of this report, except as set forth herein, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, our business strategy, results of operations, or financial condition. For more information regarding cybersecurity risks that have and may in the future materially affect us, see "Risk Factors--Risks Related to Cybersecurity, Data Privacy, and Information Technology" included in Item 1A of Part I of this Annual Report.
Governance
Our Chief Technology and Performance Officer ("CTO" ) leads our global information security organization responsible for overseeing the Company's information security program. Our Chief Information Security Officer ("CISO") is primarily responsible for identifying, assessing, monitoring, and managing cybersecurity threats to our overall enterprise. Our CTO has over 25 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies. Our CISO, who reports directly to the CTO, has over 30 years of information technology infrastructure and security experience, including developing and leading cybersecurity risk management programs for a variety of companies. The CISO uses internal and external resources to support the Company's information security program. The CISO receives information regarding cybersecurity incidents and threats primarily from our third-party cybersecurity providers. The CISO then provides periodic reports to the CTO, including reporting on significant cybersecurity incidents, strategy, results of employee trainings, and any other notable cybersecurity matters.
Cybersecurity risk is among the top risks that the Company actively monitors. Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels, and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. The Audit and Finance Committee ("Audit Committee") of the Board of Directors oversees our annual enterprise risk assessment, where we assess key risks within the Company, including security and technology risks and cybersecurity threats. The Audit Committee also oversees our cybersecurity risk and receives reports from our CTO and third parties on various cybersecurity matters, mitigation measures, and the status of our information security priorities. In addition, the Audit Committee reports to the Board of Directors on any significant cybersecurity incidents, such as the 2024 Cybersecurity Incident.
Company
Profile
| Name | Krispy Kreme, Inc. |
|---|---|
| CIK | 1857154 |
| SIC Description | |
| Industry | |
| Ticker | DNUT |
| Website | https://krispykreme.com |
| Category | Large Accelerated Filer |
| Fiscal Year End |