BurgerFi International, Inc. - (BFI)
10-K Filing Date: April 10, 2024
Item 1C. Cybersecurity.
We recognize the critical importance of maintaining the trust and confidence of our customers, franchisees, and employees.
Our operations utilize multiple information systems, including accounting software, human resources management software, back of house systems, supply chain software, our brands’ mobile apps, online ordering platforms, in-restaurant kiosks, point-of-sale software, and back-of-house software. In the ordinary course of our business, we collect, process, transmit, disclose, and retain personal information regarding our employees, our franchisees, vendors, contractors, and guests (which can include social security numbers, social insurance numbers, banking and tax identification information, health care information for employees, and credit card information) and our franchisees collect similar information.
To protect the information that we gather and the availability of our information systems from cybersecurity threats, we have an ongoing cybersecurity risk mitigation program, which includes maintaining up-to-date detection, prevention and monitoring systems and contracting with outside cybersecurity firms to provide continuous monitoring of our systems as well as threat-detection services. We define a cybersecurity threat as any potential unauthorized occurrence on or conducted through our information systems or information systems of a third party that we utilize in our business that may result in adverse effects on the confidentiality, integrity or availability of our information systems or any information residing therein.
Our cybersecurity risk management program includes:
▪ Risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment;
▪ A security team led by a Chief Technology Officer (“CTO”) principally responsible for managing our (1) cybersecurity risk assessment processes, (2) security controls, and (3) response to cybersecurity incidents;
▪ The use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls and designed to anticipate cyber-attacks and prevent breaches;
▪ Cybersecurity awareness training of our employees, incident response personnel, and senior management;
▪ A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents;
Our board of directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks.
The Audit Committee receives quarterly reports from management on our cybersecurity risks. In addition, management updates the Audit Committee, as necessary, regarding cybersecurity incidents, that we experience.
The Audit Committee reports to the full board of directors regarding its activities, including those related to cybersecurity.
Our management team, including historically our CTO, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises our retained external cybersecurity consultants. Our former CTO who recently left the company had significant experience across digital innovation and technology-enabled growth, information security, infrastructure, operations and compliance, including over 10 years of experience managing enterprise level programs over IT. The Company has identified a candidate that it desires to fill the role.
Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.
We have not encountered any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to affect us, including our business strategy, results of operations or financial condition. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. See Item 1A. Risk Factors for potential risks related to our information technology systems that we are subject to and that may materially adversely affect our business ("Security breaches of either confidential guest information in connection with, among other things, our electronic processing of credit and debit card transactions or mobile ordering app, or confidential employee information may adversely affect our business” and "Failure to comply with privacy and cybersecurity laws and regulations could cause us to face litigation and penalties that could adversely affect our business, financial conditions, and results of operations.").
30