CHUY'S HOLDINGS, INC. - (CHUY)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data.
Risk Management
We have integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. The Company evaluates and addresses cybersecurity risks in alignment with our business objectives and operational needs. The Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.
Governance
The board of directors recognizes the critical importance of maintaining the trust and confidence of our customers, business partners and employees. The board of directors is actively involved in oversight of the Company’s risk management program, and cybersecurity represents an important component of the Company’s overall approach to enterprise risk management. The board of directors has established robust oversight mechanisms to ensure effective governance in managing risks.
The Audit Committee bears the primary responsibility for the board of directors' oversight of cybersecurity risks. The Audit Committee is composed of board members with diverse expertise, including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively.
26
Our Vice President of Information Technologies ("IT") and our Chief Financial Officer ("CFO") play a pivotal role in informing the Audit Committee about cybersecurity risks. They provide comprehensive briefings to the Audit Committee on a regular basis, with a minimum frequency of once per quarter. These briefings encompass a broad range of topics, including:
•the current cybersecurity landscape and emerging threats;
•the status of ongoing cybersecurity initiatives and strategies;
•incident reports and learnings from any cybersecurity events; and
•compliance with regulatory requirements and industry standards.
In addition to its scheduled meetings, the Audit Committee, Vice President of IT and CFO maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on any significant developments in the cybersecurity domain, ensuring the board of directors' oversight is proactive and responsive. The Audit Committee actively participates in strategic decisions related to cybersecurity, offering guidance and input for major initiatives. This involvement ensures that cybersecurity considerations are integrated into our broader strategic objectives. Additionally, on an annual basis, the board of directors discusses the Company’s approach to cybersecurity risk management with the Vice President of IT and CFO.
Our Vice President of IT, in his capacity, regularly informs the CEO and CFO of all aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the board of directors, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.
Risk Management Personnel
Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our Vice President of IT and our Security and Compliance Engineer. Our Vice President of IT and Security and Compliance Engineer have served in various roles in information technology and information security for over 30 years and bring a wealth of expertise to their roles. Their in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies.
Recognizing the complexity and evolving nature of cybersecurity threats, we engage with external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaboration with these third-parties includes regular audits, threat assessments, and consultation on security enhancements.
The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.
The Company provides training for personnel regarding cybersecurity threats as a means to equip the Company’s personnel with effective tools to address cybersecurity threats, and to communicate the Company’s evolving information security policies, standards, processes and practices.
Monitoring Cybersecurity Threats and Incidents
Our Vice President of IT remains informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. Our Vice President of IT implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. The Company deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. The Company conducts an annual review of its cybersecurity measures and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework.
In the event of a cybersecurity incident, the Vice President of IT is equipped with a incident response and recovery plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. The board of directors and senior management also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds.
27
Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. For additional information, see Item 1A. “Risk Factors—Information technology system failures or breaches of our network security could interrupt our operations and harm our business, financial condition and results of operations.”
28