Dine Brands Global, Inc. - (DIN)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity.
Our cybersecurity plan, strategy, policy, standards, and processes are aligned with common security risk management framework and practices, including detailed tasks, plans and initiatives, which are reviewed and updated annually and periodically.
Our cybersecurity program is risk-based with an underlying threat modeling framework to enable us to track and measure our progress based on five pillars: strategy and foundation, teach and communicate, build and enhance, risk reduction and maturity, and security compliance. Our program framework and foundation are based on common security standards and frameworks, including ISO/IEC 27001/2:2022 and NIST Cyber Resiliency Framework and Model, in alignment with PCI DSS, privacy laws and regulatory requirements.
Our Chief Information Security Officer (“CISO”) leads our cybersecurity team and is generally responsible for management of cybersecurity risk and the protection and defense of our networks and systems. Our CISO has 25 years of experience serving in various roles related to cybersecurity and information security. Our Security Steering Committee (“SSC”), chaired by our CISO, is comprised of executive level representatives from our Information Technology (“IT"), legal, enterprise risk management and internal audit teams and is responsible for oversight, evaluation and coordination of activities related to safeguards, security risk, controls, remediation activities, policy governance and other factors. Our cybersecurity plan, strategies, policies, standards, and processes are aligned with common security risk management frameworks and practices including detailed tasks, plans and initiatives. Our program also incorporates incident response plans and notification protocols, to assess and manage incidents and threats, including their materiality.
Our cybersecurity program uses layered security defenses, cyber resiliency and automation capabilities for our security functions and operations. Our cybersecurity roadmap outlines and defines the security initiatives, projects and tasks. All security efforts and projects are discussed by the SSC. Security events are identified via multiple channels, including without limitation security detection mechanisms, near real-time system alerts, out-of-bound channels and dark web monitoring. Our employees and vendor partners are also trained to report any security events to the cybersecurity team, who will escalate and notify the legal team, senior executives, and Board of Directors as needed.
Our cybersecurity risk management program is based on legal and regulatory requirements and considerations. Cybersecurity risks are included as an integral part of our broader Enterprise Risk Management (“ERM”) program and reviewed quarterly by internal stakeholders comprised of cross-functional team to assess the risk level and strength of our mitigation strategies. Our cybersecurity risk assessment is performed regularly throughout the year, and may include:
•Regular cybersecurity program, risk and incidents reporting to the Board of Directors;
•Quarterly cybersecurity risk reporting to the Enterprise Risk Committee, which includes the Company's Chief Executive Officer, Chief Financial Officer, Senior Vice President, Legal, General Counsel & Secretary, Internal Audit, Chief Information Officer and CISO; and
•Monthly Security Steering Committee meetings with members from the Company's cybersecurity, ERM, IT, internal audit and legal teams.
We engage with a range of third-party cybersecurity service providers, assessors and auditors to evaluate and enhance the effectiveness of our cybersecurity program. Services provided by these third parties include 24/7 security logging, network and endpoint monitoring, vulnerability scanning, penetration testing, security incident response tabletop exercises and security and compliance posture assessments. Vendor security monitoring is an important component of our cybersecurity program to ensure our vendors are securing and protecting our critical infrastructure, data, and information, integrated with our contract management process, including security addenda and vendor security risk assessments for new contracts and annual vendor security risk assessments for critical vendors.
Our security incident response plan provides guidelines and requirements for reasonable and consistent responses to security incidents to limit damage while preserving the confidentiality, integrity and availability of Company systems and information, and reducing recovery time and cost, including but not limited to, escalation of security incidents to appropriate team members for investigation and response and documenting the required steps for investigation and remediation taken
26
during the security incident response. We perform an annual tabletop exercise led by third-party security experts with participation from executive management and technical internal teams.
As of the date of this report, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition.
The Board of Directors recognizes the importance of cybersecurity in safeguarding the Company’s sensitive data. The Board of Directors is responsible for overseeing overall risk management for the Company. The Audit Committee receives reports from the CISO regarding the cybersecurity program. The presented topics include, but are not limited to, the status of ongoing cybersecurity initiatives, incident reports and compliance with industry standards. Members of the Board of Directors also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs.
27