Sweetgreen, Inc. - (SG)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY

Risk management and strategy

We have implemented and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical information technology and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and customer and employee data (“Information Systems and Data”).

Our Chief Technology Officer (“CTO”), as well as the security operations, engineering, risk management and legal functions help identify, assess and manage the Company’s cybersecurity threats and risks. Our security
53

Table of Contents
operations team monitors and identifies potentially material cybersecurity threats and risks, implements and maintains the Company’s incident management policies and plans. Our security operations team leads our efforts to identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods including, for example, subscribing to reports and services that identify cybersecurity threats, monitoring incident notifications from stakeholders, conducting threat assessments, managing software vulnerabilities and patches, conducting tabletop incident response exercises, and, in connection with our legal function, coordinating with law enforcement concerning threats.

Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: an incident response plan; vulnerability management activities; encryption of data; network security controls; data access controls; penetration testing; cybersecurity insurance; and a dedicated security operations team.

Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, our information security function works with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business, and our senior management evaluates material risks from cybersecurity threats against our overall business objectives and provides an annual cybersecurity update to each of the board of directors and the audit committee.
We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example professional services firms including legal counsel, threat intelligence service providers, cybersecurity consultants, cybersecurity software providers, managed cybersecurity service providers, forensic investigators, and penetration testing firms.

We use third-party service providers to perform a variety of functions throughout our business, such as account management, payment processing, cloud-based infrastructure, data center hosting, and content delivery to customers. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and we may impose contractual obligations related to cybersecurity on the provider.
For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including “If the confidentiality, integrity, or availability of our information technology, software, services, communications, or data, or those of third parties upon which we rely, are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; loss of customers or sales; and other adverse consequences.”

Governance

Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The board of directors’ audit committee is responsible for overseeing Company’s cybersecurity risk management processes, including oversight, mitigation, and disclosure of risks from cybersecurity threats.

Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our CTO and members of our legal and cybersecurity teams. Our CTO has more than three decades of experience working in technology for global companies in the technology, retail, and food services industries and has served in senior management at another public food service company.
Senior management is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Senior management is also responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity policies and processes, and reviewing security assessments and other security-related reports.

Our incident response plan is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including the Chief Executive Officer, Chief Legal Officer, and Chief Financial Officer. The Chief Legal Officer works with the Company’s cybersecurity incident response team to help the Company mitigate and remediate cybersecurity incidents of which he is notified. In addition, the Company’s incident response process includes reporting material incidents to the audit committee of the board of directors.
54

Table of Contents

The audit committee and the full board receive annual reports from senior management concerning the Company’s significant cybersecurity threats and risk and the processes the Company has implemented to address them. The audit committee also receives various reports, summaries or presentations related to certain cybersecurity threats, risks, and mitigations.