Krispy Kreme, Inc. 10-K Cybersecurity GRC - 2026-03-06

Page last updated on March 6, 2026

Krispy Kreme, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-06 16:26:30 EST.

Company Summary

Krispy Kreme is a global retailer of premium-quality sweet treats and is famous for its original glazed doughnut.

Filings

10-K filed on 2026-03-06

Krispy Kreme, Inc. filed a 10-K at 2026-03-06 16:26:30 EST
Accession Number: 0001857154-26-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have processes in place for assessing, identifying, and managing material risks from unauthorized occurrences on or through our electronic information systems that could adversely affect the confidentiality, integrity, or availability of our information systems or the information residing on those systems. These include a wide variety of mechanisms, controls, technologies, methods, systems, and other processes that are designed to prevent, detect, or mitigate data loss, theft, misuse, unauthorized access, or other security incidents or vulnerabilities. In addition, we engage with independent third-party partners, including cybersecurity assessors, consultants, and auditors, to assess and consult on our cybersecurity capabilities, prioritize areas of risk, and assist with execution of our risk management and strategic plans. Our collaboration with these third parties includes audits, threat assessments, and consultation on security enhancements. In an effort to mitigate data or security incidents that may originate from third-party suppliers, we also identify, prioritize, assess, and address third-party risks; however, we rely on the third parties we use to implement security programs commensurate with their risk, and we cannot ensure that their efforts will be successful. As part of our risk management process, we conduct application security assessments, vulnerability management, penetration testing, security audits, and risk assessments. We provide cybersecurity awareness training to employees with access to information systems, including corporate employees. We also maintain an incident response plan. Our incident response plan outlines the process for our coordination with our third-party cybersecurity providers to respond to and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with applicable legal obligations and mitigate brand and reputational damage. In addition, our incident response plan includes actions designed to enhance processes and responsiveness to address future incidents. We continue to strengthen our systems, cybersecurity training, policies, programs, response plan, and other similar measures. As previously disclosed, during fiscal 2024 unauthorized activity on a portion of our information technology systems resulted in the Company experiencing certain operational disruptions (the "2024 Cybersecurity Incident"). The incident materially affected the Company's business operations and results of operations. For more information, see "Management's Discussion and Analysis of Financial Condition and Results of Operations" included in Item 7 of Part II of this Annual Report. As of the date of this report, except as set forth herein, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, our business strategy, results of operations, or financial condition. For more information regarding cybersecurity risks that have and may in the future materially affect us, see "Risk Factors-Risks Related to Cybersecurity, Data Privacy, and Information Technology" included in Item 1A of Part I of this Annual Report. Governance Our Chief Technology and Performance Officer ("CTO" ) leads our global information security organization responsible for overseeing the Company's information security program. Our Chief Information Security Officer ("CISO") is primarily responsible for identifying, assessing, monitoring, and managing cybersecurity threats to our overall enterprise. Our CTO has over 25 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies. Our CISO, who reports directly to the CTO, has over 30 years of information technology infrastructure and security experience, including developing and leading cybersecurity risk management programs for a variety of companies. The CISO uses internal and external resources to support the Company's information security program. The CISO receives information regarding cybersecurity incidents and threats primarily from our third-party cybersecurity providers. The CISO then provides periodic reports to the CTO, including reporting on significant cybersecurity incidents, strategy, results of employee trainings, and any other notable cybersecurity matters. Cybersecurity risk is among the top risks that the Company actively monitors. Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels, and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. The Audit and Finance Committee ("Audit Committee") of the Board of Directors oversees our annual enterprise risk assessment, where we assess key risks within the Company, including security and technology risks and cybersecurity threats. The Audit Committee also oversees our cybersecurity risk and receives reports from our CTO and third parties on various cybersecurity matters, mitigation measures, and the status of our information security priorities. In addition, the Audit Committee reports to the Board of Directors on any significant cybersecurity incidents, such as the 2024 Cybersecurity Incident.

Company Information