Grocery Outlet Holding Corp. - (GO)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
Assessing, identifying and managing data security, privacy and cybersecurity related risks are integrated into our overall enterprise risk management ("ERM") process, which considers all strategic, operational, compliance and financial risks across the organization. Our ERM process is conducted on an annual basis by our internal audit team through feedback from senior management, certain functional leaders and certain Board members. Risks are categorized as low, medium and high risks based on a quantitative and qualitative evaluation of how each risk could impact the Company's operations, current objectives and long-term strategies. Each high risk is assigned to a member of senior management as the risk owner and the Board or a Board Committee for oversight, with the risk owner developing a risk mitigation plan that is tracked to completion. Low and medium risks are subject to various levels of internal monitoring. The annual risk assessment is reviewed with the Audit and Risk Committee and the Board of Directors.
Our Audit and Risk Committee is responsible for the oversight of data security, privacy and cybersecurity related risks. Our CIO has a Bachelor of Science in Computer Engineering and over 26 years of experience in senior leadership privacy, information technology and cybersecurity oversight roles, including within the grocery retail industry. Our CIO reports to our Chief Operations Officer who also has decades of information technology experience, including with retailers such as Walmart, Inc., Family Dollar Stores, Inc. and Gap, Inc. Under the direction of our information technology department, we have implemented policies and controls in line with the requirements of the International Organization for Standardization and have assessed our cybersecurity maturity levels against the National Institute of Standards and Technology framework to set appropriate standards and guidelines. We monitor and remediate threats through our managed detection and response, and our vulnerability management programs. We provide regular employee communications and mandatory training, periodically review our incident response and breach notification plan, and leverage third-party expertise for testing, assessments and improvements. We have an onboarding and periodic security review process of all third party vendors who have or will have access to our confidential information. We also have established business continuity disaster recovery plans that are designed to limit downtime and data loss in the event of a security breach.
As we have increased our remote workforce in recent years, the Audit and Risk Committee and management have focused on enhancing the security of remote access with trusted devices, endpoint security controls and infrastructure resiliency. As part of this process, we enhanced our security incident response procedures to address risks specific to remote working conditions. We continue to monitor and take reasonable actions intended to improve our security posture with process improvement, testing, simulation training and investments where necessary and appropriate for our company.
We have a written incident response plan that is implemented by our cybersecurity incident response team, comprised of members of our information security, legal, human resources, finance and communications teams, and whose function is to respond to any such incident, define and seek to control the extent of the incident, assess and take reasonable actions intended to remediate any damage caused, and implement measures designed to prevent future reoccurrences. The materiality of any cybersecurity incident is evaluated by senior management, including the legal and finance departments, and, in certain circumstances by our third-party advisors. We periodically perform simulations (referred to as tabletop exercises) at a management level with external resources and advisors.
We face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected us, including our results of operations or financial condition, in fiscal 2023 and recent years, we have, from time to time, experienced threats to and attempted breaches of our data and systems, including malware and computer virus attacks. In the future, we may not be successful in preventing or mitigating a cybersecurity incident that could ultimately have a material adverse effect on our business, operations and financial performance. We carry cyber risk insurance that provides protection against a breach or other data security incident, but such insurance may not be sufficient, and any related insurance proceeds may not be timely paid to us. For more information about the cybersecurity risks we face, see the risk factors under the heading entitled "Risks Related to our Information Technology Systems, Data Protection and Cybersecurity" in "Item 1A. Risk Factors" of this Annual Report on Form 10-K.
41