PAPA JOHNS INTERNATIONAL INC - (PZZA)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Papa Johns’ cybersecurity program includes a defense-in-depth model that utilizes a variety of techniques and tools for protecting against, detecting, responding to and recovering from cybersecurity incidents. Our cybersecurity program is designed to prioritize detection, analysis and response to known and anticipated cyber threats, effective management of cyber risks, and resilience against cybersecurity incidents. Our program leverages industry frameworks, including the Payment Card Industry Standards (PCI) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
Cybersecurity Governance
At Papa Johns, the Company’s cybersecurity strategy and risk management is overseen by the Board of the Directors (the “Board”) through its Audit Committee and implemented and managed by the Company’s Cyber Oversight Group, a cross-functional team of senior management.
Board Governance
The Audit Committee and the Board consider cybersecurity part of the Company’s overall enterprise risk management (“ERM”) function, which the Audit Committee oversees. The Audit Committee and the Board consider cybersecurity as part of the Company’s business strategy, financial planning, and capital allocation.
The Audit Committee oversees our information security program, which includes oversight of our cybersecurity program and cybersecurity risks. As part of its oversight responsibility, and pursuant to its charter, the Audit Committee reviews with management and reports to the full Board with respect to significant information security matters and risks and management’s actions to monitor and address identified issues. The Internal Audit team meets monthly with the VP, Information Security and Compliance officer along with key IT leadership to discuss open cyber or data security risks. This effort is to ensure items of risk are addressed and resolved in a timely manner. The Audit Committee receives updates from the Company’s Chief Insights and Technology Officer (“CITO”), VP, Information Security and Compliance, and/or members of our executive leadership team. Management also reports to the full Board at least annually regarding a comprehensive overview and status of the Company’s information security program. The Audit Committee is also apprised of cybersecurity incidents consistent with the provisions of our cybersecurity incident response plan (“IRP”) pertaining to escalation of more significant incidents.
Management Governance
The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by our Cyber Oversight Group, led by our CITO and VP, Information Security and Compliance. Our CITO leverages his decades of experience as an IT professional with significant expertise in enterprise architecture, engineering, analytics and digital technology. In addition, our VP, Information Security and Compliance has over 20 years of experience as a Chief Information Security Officer in multiple industries and has received Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Control (CRISC) certifications. Our CITO and VP, Information Security and Compliance are responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, and response to cybersecurity threats and incidents and are regularly engaged to help ensure the cybersecurity program functions effectively in the face of evolving cybersecurity threats.
Members of our Cyber Oversight Group also include our Chief Executive Officer, Chief Legal and Risk Officer, Senior Director of Internal Audit and technology and data privacy in-house counsel. The Cyber Oversight Group is also tasked with reporting to the Audit Committee on cybersecurity risk management strategies, as well as any significant
24

        

cybersecurity incidents that may occur. In addition, the Cyber Oversight Group meets at least four times per year, or with greater frequency as necessary, to, without limitation:
review with management the Company’s cybersecurity threat landscape, risks, and data security programs, and the Company’s management and mitigation of cybersecurity risks and incidents;
review with management the Company’s compliance with applicable information security and data protection laws and industry standards;
discuss with management the Company’s cybersecurity, technology and information systems policies as to risk assessment and risk management, including the guidelines and policies established by the Company to assess, monitor, and mitigate the Company’s significant cybersecurity, technology and information systems related risk exposures; and
review and provide oversight on the Company’s crisis preparedness with respect to cybersecurity, technology and information systems, including cybersecurity incident response preparedness, communication plans, and disaster recovery capabilities.
Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats
Our Cyber Oversight Group utilizes the IRP to: (1) prepare for and protect against cybersecurity incidents; (2) identify and analyze cybersecurity incidents; and (3) contain, eradicate, and help ensure appropriate reporting of cybersecurity events. In the event of a cybersecurity incident, the IRP provides a framework to coordinate the response. The IRP also addresses escalation protocols to senior management responsibility with respect to disclosure determinations related to a cybersecurity incident and provides for Audit Committee and Board briefings as appropriate. We also manage threats to our systems originating or associated with third party service providers by integrating cybersecurity requirements and other provisions into various contracts. Vulnerabilities and risks identified for our third-party vendors are handled through ongoing scanning and reviews.
We employ a variety of measures to prepare for and protect against, detect, and contain and eradicate cybersecurity incidents and threats. The preparatory and protective measures we have in place include, without limitation, password protection, multi-factor authentication, internal and external penetration testing, cybersecurity assessments, industry benchmarking, and annual cybersecurity awareness trainings for our employees as well as social engineering awareness simulations. To detect and analyze cybersecurity incidents, our cybersecurity program uses automated event-detection technology monitored by our cyber defense team, notifications from employees, vendors or service providers, and other tools. Once a potential cybersecurity incident is detected, our IRP sets forth the process we follow to investigate the potential incident and contain it. After the cybersecurity incident is contained, our focus shifts to remediation, eradication, and recovery, with such efforts dependent upon on the nature of the cybersecurity incident. We have relationships with a number of well-established third-party service providers to assist with cybersecurity incident response, containment and remediation efforts. We also maintain cybersecurity insurance providing coverage for certain costs related to cybersecurity incidents that impact our own systems, networks, and technology. While we maintain a robust cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, we may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, see “Item 1A—Risk Factors.”
Cybersecurity Risks
We are currently not aware of any material cybersecurity incidents or threats that have impacted the Company or our business, financial condition, results of operations, employees or customers in the past three years. However, we and our customers routinely face risks of cybersecurity incidents, wholly or partially beyond our control, as we rely heavily on our information technology systems, including digital ordering solutions through which more than 85% of our domestic sales originate. Although we make efforts to maintain the security and integrity of our information technology systems, these systems and the proprietary, confidential internal and customer information that resides on or is transmitted through them, are subject to the risk of a cybersecurity incident or disruption, and there can be no assurance that our security efforts and measures, and those of our third party providers, will prevent breakdowns or incidents affecting our or our third party providers’ databases or systems that could adversely affect our business. For a discussion of these risks, see “Item 1A—Risk Factors—Information Technology and Cybersecurity Risks—Disruptions of our critical business or information technology systems could harm our ability to compete and conduct our business” and “—Failure to maintain the integrity of internal or customer data could result in damage to our reputation, loss of sales, and/or subject us to litigation, penalties or significant costs.”
25