El Pollo Loco Holdings, Inc. - (LOCO)
10-K Filing Date: March 08, 2024
The Company has multi-layer processes to assess, identify and manage material risks from cybersecurity threats. These processes are integrated into the Company’s enterprise risk management as part of its overall risk management strategy.
A cross-functional team of senior leadership assesses potential material risks to the business and the Company’s ability to meet strategic priorities, including risks from cybersecurity threats. The Company’s senior leadership receives updates from relevant functional heads or other subject matter specialists on these potential material risks as well as the processes or other steps being taken to manage or mitigate the risks. The team includes senior leaders in areas of importance to Company priorities, including the Company’s Chief Privacy Officer, who is also our Vice President of Information Technology and the Chief Legal Officer. The Company’s senior leadership assesses and prioritizes risk based on impact to shareholders, operations, and strategic priorities, among other factors.
The Chief Privacy Officer oversees the Company’s information security program and is responsible for the day-to-day information risk management activities through the internal information security team, and outside resources. The VP, Chief Privacy Officer, who has 30 years of IT and IT security experience, 20 of which are at the Company, employs a team of information technology experts, including a dedicated Cyber Security Analyst. The VP, Chief Privacy Officer and the Cyber Security Analyst are further supported by other members of the IT department.
The Company’s processes to assess, identify and manage material risks from cybersecurity threats include, but are not limited to, the following:
● | The VP, Chief Privacy Officer, dedicated Cyber Security Analyst, and other key members of the information technology team actively monitor threats to the information technology environment. They work with a third party to provide additional 24/7 monitoring of cyber threats. These internal and external cybersecurity teams are empowered to contain network access through various application controls. Structural protections are also in place to mitigate risks of end point failures, and provide for continuity of operations. |
● | The Company uses various systems to manage threats, for example, firewall protections, anti-virus protections, vulnerability scans, among others. Such systems are regularly reviewed for adequacy and potential enhancements. |
● | The Company employs an information security and training program for our employees, including mandatory computer-based training, regular internal communications, and ongoing end-user testing to measure the effectiveness of our information security program. |
● | The Company engages external third parties to advise on emerging threats to stay current and strengthen our security capabilities. |
● | The Company performs penetration testing and other exercises within internal and external networks for potential vulnerabilities. |
● | The Company additionally performs annual tabletop exercises with the information technology team pertaining to infrastructure and cyber security related events, to test the Company’s incident response and business continuity plans in the event of a cybersecurity incident. |
● | Bi-annually the Company engages a third party to conduct an audit of the Company's cybersecurity systems and processes to test their adequacy and efficacy. The results are shared with senior leadership and the Audit Committee of the Board, and incorporated into strategic security plans. |
● | The Company maintains cybersecurity insurance, which is assessed annually for the appropriateness of coverage levels and emerging trends. |
26
The Company also has in place an Incident Response Plan that enables it to quickly categorize, respond, and escalate to senior leadership and the Audit Committee of the Board, real or potential cybersecurity incidents in a manner designed to mitigate overall business impact.
In connection with the Company’s review and approval for potential new vendors, the Company assesses the data types or Personally Identifiable Information that the vendor may maintain, store or access and reviews the adequacy of their cybersecurity procedures and legal protections. Legal counsel and the VP, Chief Privacy Officer review the cyber and contractual protections and consider the overall risk profile considering the type of agreement, data involved, vendor, and jurisdiction, among other factors. Vendors deemed to have insufficient controls balancing the relevant criteria will not be approved.
The Board of Directors is kept apprised of material risks from cybersecurity threats through the Audit Committee. The Audit Committee is responsible for overseeing threats to the Company, including those involving cyber threats, and reviewing the Company’s protocols and procedures to mitigate those threats. On a quarterly basis, the VP, Chief Privacy Officer, presents to the Audit Committee on the Company’s cybersecurity compliance and risk management practices. These presentations address, among other things, the results of audits and reviews of our security information systems and other cybersecurity measures, the current threat environment and cybersecurity trends and best practices. As applicable, these quarterly presentations also include reports of cybersecurity incidents affecting our information systems along with updates on the status of prior cybersecurity incidents and applicable remediation efforts. The Audit Committee discusses the adequacy and efficacy of the controls and shares the information with the Board as part of its risk oversight function. Outside of quarterly presentations, the Audit Committee is informed of incidents that in senior leadership’s discretion require more immediate Audit Committee attention.
To date, the Company has not, to its knowledge, experienced any cybersecurity threats or previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. However, we can give no assurance that we have detected or protected against all cybersecurity incidents or cybersecurity threats. Please refer to the risk factor titled “Our inability or failure to execute our business continuity and response plan following a major disaster such as a natural disaster, terrorism, social unrest or a cybersecurity incident affecting our corporate facilities could materially adversely affect our business” in “Item 1A, Risk Factors” in this report for additional information about risks related to cybersecurity matters.