First Watch Restaurant Group, Inc. - (FWRG)

10-K Filing Date: March 05, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

We deploy a cybersecurity program modelled on Center for Internet Security (CIS) Critical Security Controls, commonly referred to as CIS Controls. We believe our program’s control focus provides immediate protection and scalability for our business. Our program defines our governance and management oversight, and includes (i) continual training to raise user vigilance and resistance to phishing attempts and cyber-attacks, (ii) evaluation of compliance with privacy and data security regulations and (iii) reporting obligations in the event of an incident. As part of our program, we partner with a security operations center for continuous monitoring and alerting across all of our information technology systems.

Annually, we engage external consultants to evaluate the effectiveness of our cybersecurity program and recommend improvements. We have also developed vendor scoring criteria to assess cybersecurity, incidence readiness and cyber insurance of our critical vendors and service providers.

Security incidents or breaches have from time to time occurred and may in the future occur involving our systems, the systems of the parties with whom we communicate or collaborate (including franchisees) or the systems of third-party providers. Incidents or breaches have from time to time occurred and may in the future occur involving our systems, the systems of the parties with whom we communicate or collaborate (including franchisees) or the systems of third-party providers. As of the date of this Annual Report on Form 10-K, we have not experienced cybersecurity threats or incidents that have materially affected us. However, any actual or perceived breach in the security of our information technology systems or those of our franchisees or our critical vendors and service providers could lead to damage to or failure of our computer systems or network infrastructure which could cause an interruption in our operations and could have a material adverse effect on our business. Furthermore, a significant theft, loss, disclosure, modification or misappropriation of, or access to, guests’, employees’, third parties’ or other proprietary data or other breach of our information technology systems could subject us or our franchisees to litigation or to actions by regulatory authorities. See also Item 1A. “Risk Factors - Risks Related to Information Technology and Intellectual Property—Information technology system failures or breaches of our network security could interrupt our operations and have a material adverse effect on our business, financial condition and results of operations.”

Governance

The Audit Committee of our Board is tasked with oversight of certain risk issues, including cybersecurity. The Audit Committee receives reports on cybersecurity at least annually from the Company’s SVP, Informational Technology, who has over 25 years of experience in the management of information technology systems and cybersecurity. The Audit Committee briefs the full Board of Directors on these matters as a part of its reports of its meetings.
34