NOODLES & Co - (NDLS)

10-K Filing Date: March 07, 2024
ITEM 1C. Cybersecurity

In the ordinary course of our business, we collect, store and transmit sensitive information including intellectual property, proprietary business information and personal information in connection with business operations. Additionally, we leverage our third-party vendors to collect, use, store, and transmit confidential, sensitive, proprietary, personal, and health-related information. The secure maintenance of this information and our information technology systems is important to our operations and business strategy. To this end, we have implemented processes designed to assess, identify, and manage risks from potential unauthorized occurrences on or through our information technology systems that may result in adverse effects on the confidentiality, integrity, and availability of these systems and the data residing therein. These processes are managed and monitored by a dedicated information technology team, which is led by our Executive Vice President of Technology, and include mechanisms, controls, technologies, systems, and other processes designed to prevent or mitigate data loss, theft, misuse, or other security incidents or vulnerabilities affecting the data and maintain a stable information technology environment. For example, we constantly monitor our information technology environment for abnormal behavior, conduct penetration and vulnerability testing, data recovery testing, security audits, and ongoing risk assessments, including due diligence on our key technology vendors and other third-party service providers that have access to the personal information we collect, use, store, and transmit. We leverage standard industry tools from a software and hardware perspective and maintain a cybersecurity risk insurance policy. We also conduct periodic employee trainings on cyber and information security, among other topics. In addition, we consult with outside advisors and experts on a regular basis to assist with assessing, identifying, and managing cybersecurity risks, including to anticipate future threats and trends, and their impact on the Company’s risk environment.

Our Executive Vice President of Technology, who reports directly to the Chief Executive Officer and has over 16 years of experience managing information technology and cybersecurity matters, together with our senior leadership team, is responsible for assessing and managing cybersecurity risks. We consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management framework. In the last fiscal year, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, but we face certain ongoing cybersecurity risks threats that, if realized, are reasonably likely to materially affect us. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, “Risk Factors,” under the heading “We may be harmed by breaches of security of information technology systems or our confidential consumer, employee, financial, or other proprietary data.”

23

 
The Board of Directors, as a whole and at the committee level, has oversight for the most significant risks facing us and for our processes to identify, prioritize, assess, manage, and mitigate those risks. The Audit Committee, which is comprised solely of independent directors, has been designated by our Board to oversee cybersecurity risks. The Audit Committee receives periodic updates on cybersecurity, including immediate notification of any material cybersecurity events, and information technology matters and related risk exposures from our Executive Vice President of Technology as well as other members of the senior leadership team. The Board receives updates from management and the Audit Committee on cybersecurity risks.
24