RED ROBIN GOURMET BURGERS INC - (RRGB)

10-K Filing Date: February 28, 2024
ITEM 1C. Cybersecurity
Risk Management and Strategy
The Company has an enterprise risk management program to identify, assess, monitor, and manage significant risks of the Company. The Company evaluates cybersecurity risks alongside other critical business risks under this program, and the Company also has a standalone cybersecurity program. The Company's approach to assessing, identifying, and managing material risks from cybersecurity threats is grounded in established frameworks, including those set forth by the National Institute of Standards and Technology (NIST) and other industry standards and requirements as defined by various compliance frameworks. Our cybersecurity program prioritizes key areas such as:
Policies, Standards, and Practices: We maintain comprehensive policies, standards, and practices aligned with industry practices and regulatory requirements. These documents serve as the foundation for our cybersecurity program, providing clear guidelines for safeguarding our information systems and data assets.
Threat Monitoring and Assessment: Continuous monitoring and assessment of cyber threats and vulnerabilities are integral to our risk management strategy. We utilize advanced monitoring tools and threat intelligence sources to proactively identify and address potential security risks. The Company uses third-party service providers to support its operations. The Company evaluates third-party service providers from a cybersecurity risk perspective, which may include an assessment of that service provider’s cybersecurity posture or a recommendation of specific mitigation controls.
Audits and Assessments: Regular audits and assessments are conducted by both internal and external experts (consultants, auditors, and other third parties) to evaluate the effectiveness of our cybersecurity controls and processes
21

and recommend improvements. These assessments help us achieve compliance with internal policies as well as external regulations and standards.
Incident Response Planning: We have developed comprehensive incident response plans to mitigate cybersecurity incidents. These plans outline clear procedures for detecting, responding to, and recovering from security breaches, minimizing the impact on our operations and stakeholders. External technical, legal, and law enforcement support is engaged as needed to support response efforts.
The Company employs a multifaceted approach through in house capabilities and in partnership with external cybersecurity experts to safeguard its assets, including technical and organizational measures. These include the deployment of technology focused on identifying and remediating threats, ongoing employee training exercises, regular incident response capability reviews and exercises, cybersecurity insurance coverage, and business continuity mechanisms.
Governance
Our Board, with the assistance of our Audit Committee, oversees the Company’s cybersecurity program and strategies. The Audit Committee receives regular reports and updates, typically quarterly, from our Chief Technology Officer (CTO) on a wide range of cybersecurity topics. These reports include detailed insights into risk assessments, mitigation strategies, emerging threats, vulnerabilities, incidents, and prevailing industry trends. After each such report, the Chair of the Audit Committee updates the full Board for transparency and accountability in cybersecurity governance. Additionally, at least annually and as needed from time to time, the Board receives similar cybersecurity updates directly from the CTO. Further, the Board oversees cybersecurity as part of our enterprise risk management program.
To further bolster the Board's understanding of cybersecurity issues, management facilitates ongoing educational opportunities. For instance, in December 2023, the Board engaged in a discussion with cybersecurity experts on building resilience to cyber risk. These educational initiatives empower Board members to make informed decisions and actively contribute to the oversight of cybersecurity governance.
Our CTO, supported by our Vice President of Infrastructure and Security, assumes primary responsibility for assessing and managing material cybersecurity risks. With over 25 years of experience spanning restaurant, retail, and technology brands, our CTO brings a wealth of expertise to the role. Having previously held similar positions leading and overseeing cybersecurity programs at both private and public companies, our CTO is well-equipped to navigate the complex landscape of cybersecurity threats and challenges.
Our Company has established robust policies and processes governing the assessment, response, and notifications associated with cybersecurity incidents. These protocols ensure a systematic and coordinated approach to incident management, with collaboration among engineering, legal, and senior leadership to oversee compliance with legal and regulatory requirements and have clear mechanisms in place for escalating notifications to our CEO and the Board based on the nature and severity of each incident.
While we have experienced cybersecurity incidents in the past, in the last fiscal year we have not identified risks from known cybersecurity threats, including as a result of prior cybersecurity incidents, that have materially affected the Company or our financial position, results of operations and/or cash flows. We continue to invest in cybersecurity and the resiliency of our networks and to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. For more information regarding the risks we face from cybersecurity threats, please see “Risk Factors."