Yum China Holdings, Inc. - (YUMC)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity.

 

Information technology systems, including our mobile or online platforms, mobile payment and ordering systems, loyalty programs and various other online processes and functions, are critical to our business and operations. The Company faces risks associated with cybersecurity, including operational interruptions, financial losses, personal information leakage and non-compliance risks. For additional details on risks from cybersecurity threats, please refer to “Item 1A. Risk Factors — The occurrence of security breaches and cyber-attacks could negatively impact our business.” and “—Unauthorized access to, or improper use, disclosure, theft or destruction of, our customer or employee personal, financial or other data or our proprietary or confidential information that is stored in our information technology systems or by third parties on our behalf could result in substantial costs, expose us to litigation and damage our reputation.”

 

Our information technology systems are protected through technological safeguards and management measures. We detect, identify, assess and mitigate cybersecurity risks by adopting standard risk management methodologies, which are developed based on the international cybersecurity management system standard ISO 27001 as well as the asset-oriented risk assessment framework. To minimize potential impact on business operations in the event of a cybersecurity incident, we have formulated, and regularly tested, our incident response plan. We also established a framework for data security and personal information protection, including measures to prevent data loss and detect and block abnormal accounts and activities, as well as systems and processes to prevent, detect and mitigate vulnerabilities. Our employees participate in regular cybersecurity training to enhance their awareness of cybersecurity risks. We engage in the periodic assessment of these processes and practices that are designed to address cybersecurity threats and incidents.

 

We regularly engage external consultants to assess and independently verify our cybersecurity risk management, striving for continuous optimization of our cybersecurity policies, cybersecurity risk management processes, and technical measures. These engagements assist us in ensuring our cybersecurity management practices and technical measures comply with applicable laws, regulations, industry standards and the Company’s policies. The Company has maintained ISO/IEC 27001:2013 certification since 2018 for certain online business.

 

We have established processes designed to manage cybersecurity threats associated with the use of third-party service providers. These processes include security evaluations before third-parties' admission, ongoing oversight and assessment of their security status, and adopting necessary security measures at termination of services.

 

Our Board of Directors maintains overall responsibility for overseeing the Company’s risk management framework, and cybersecurity represents an important component of the Company’s overall risk management framework. The Board regularly reviews risks that may be material to the Company. The Audit Committee assists the Board in the oversight of cybersecurity and other technology risks. Through receiving regular reports from the Chief Technology Officer ("CTO") and the Chief Legal Officer, the Audit Committee discusses with management cybersecurity risk mitigation and incident management, and reviews management reports regarding the Company’s cybersecurity governance processes, incident response system and applicable cybersecurity laws, regulations and standards, status of projects to strengthen internal cybersecurity management, the evolving threat environment, vulnerability assessments, specific cybersecurity incidents and management’s efforts to monitor, detect and prevent cybersecurity threats. On top of that, significant cybersecurity incidents will be immediately reported to the Board in accordance with the Company’s incident response plan.

 

Yum China Compliance Oversight Committee (the "Compliance Committee"), primarily comprised of leaders and representatives from our information technology, supply chain, legal, finance, HR and public affairs functions, as well as internal audit group, is responsible for assisting the Board and Audit Committee in overseeing the Company’s cybersecurity risks. The Compliance Committee meets regularly to discuss legal and regulatory developments on cybersecurity, assess the Company's emerging cybersecurity risks and mitigation plans, and determine strategy to promote cybersecurity compliance. Through ongoing communications, the Compliance Committee is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents. Our CTO, as a member of the Compliance Committee, served various positions in the Company’s information technology department for more than 20 years and began leading the department in 2017.

 

60

 

2023 Form 10-K


To its knowledge, the Company has not experienced a material cybersecurity breach within the last three years, nor identified any risks from cybersecurity threats that have materially affected us, including our business strategy, results of operations or financial condition. The Company maintains cybersecurity insurance as part of its overall insurance programs.