Driven Brands Holdings Inc. - (DRVN)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
We maintain a cybersecurity program that is reasonably designed to protect our information, and our customers’ information, from cybersecurity threats against us, our franchisees, our third-party vendors, and services providers, that may result in a material adverse effect on the confidentiality, integrity, and availability of our information systems.
Governance
Management
Our Cybersecurity Team, led by our Chief Information Security Officer (“CISO”), is responsible for the implementation, monitoring, and maintenance of the cybersecurity and data protection practices across the Company. The CISO, in conjunction with a cross-functional team, regularly reviews risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. In addition to our internal cybersecurity capabilities, we also regularly engage consultants, and other third parties to assist with assessing, identifying, and managing cybersecurity risks and to participate in tabletop and other training exercises.
Board of Directors
Our Board of Directors, in coordination with its Audit Committee, oversees the Company’s enterprise risk management process, including the management of risks arising from cybersecurity threats. The Audit Committee regularly receives reports and presentations from the CISO regarding cybersecurity. The CISO also reports to the Board at least annually on cybersecurity matters. We have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated within the Company and, where appropriate, are reported to the Board and/or Audit Committee.
Risk Management and Strategy
We employ a defense-in-depth approach with systems and processes designed to oversee, identify, and reduce the potential impact of a security incident against us or a third-party vendor or service provider. These include but are not limited to: Multi-factor Authentication, Privileged Account Management, Endpoint, Email and Cloud Security platforms, immutable backups, vulnerability scanning, third party risk assessments, and other applicable controls.
Incident Response
We have adopted a Cybersecurity Incident Response Plan (the “IRP”) that applies in the event of a cybersecurity incident that provides a standardized framework for responding to cybersecurity incidents. The IRP sets out a coordinated approach to investigating, containing, documenting, and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate, and complying with application regulatory notifications and standards. In general, the IRP leverages the NIST Cybersecurity Framework and the Computer Security Incident Handling Guide (NIST SP 800-61) to guide practices in preparation; detection and analysis; containment, eradication and recovery; and post-incident remediation. The IRP applies to all Company personnel (including third-party contractors, vendors and partners) that perform functions or services require access to secure Company information, and to all devices and network services that are owned or managed by the Company.
36