BJs RESTAURANTS INC - (BJRI)

10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY

Risk Management & Strategy

Our management is principally responsible for defining the various risks facing us, formulating risk management policies and procedures, and managing our risk exposures on a day to-day basis. Our information is processed, transmitted, and stored in a secure environment using hardened, proven enterprise grade technologies to protect both our data and the physical computing assets. We guard against business interruption by maintaining a disaster recovery plan, which includes storing critical business information in multiple off-site data centers, testing the disaster recovery plan at a host-site facility, and providing fault tolerant devices, communication services, and utilities. We have independent third-party cybersecurity audits conducted no less than annually, following the standard set by the National Institute of Standards and Technology. We also have third-party security reviews and testing of our network, processes and systems conducted on a regular basis. We use internally developed proprietary software, cloud-based software as a service (“SaaS”) as well as purchased software, with proven, non-proprietary hardware. While we believe that our internal policies, systems and procedures for cybersecurity are thorough, the risk of a cybersecurity event cannot be eliminated. We may incur increased costs to comply with privacy and data protection laws and, if we fail to comply or our systems are compromised, we could be subject to government enforcement actions, private litigation and adverse publicity.

We maintain a robust system of data protection and cybersecurity resources, technology and processes. In addition to performing an annual risk assessment and developing a mitigation plan, along with a comprehensive review and update of our cybersecurity policies and procedures, we continuously evaluate new and emerging risks and ever-changing legal and compliance requirements. We also monitor risks relating to sensitive information at our business partners, where relevant, and reevaluate the risks at these partners periodically. We make strategic investments to address these risks and compliance requirements to keep Company, guest and team member data secure, including maintaining a network privacy and security insurance policy. Although we have purchased cyber liability insurance to provide a level of financial protection should a data breach occur, such insurance may not cover us against all claims or costs associated with such a breach. Our comprehensive cybersecurity program includes agreements with third-party cybersecurity partners for continuous monitoring, alerting, and response. We perform annual and ongoing cybersecurity awareness training for our management and Restaurant Support Center team members as well as specialized training for our users with privileged access. In addition, we provide annual credit card handling training following Payment Card Industry (PCI) guidelines to all team members that handle guest credit cards.

Governance

The Audit Committee receives data protection and cybersecurity reports quarterly from our Chief Information Officer, which the Audit Committee shares with the full Board of Directors. The Board of Director's responsibility is to monitor our risk management processes by understanding our material risks and evaluating whether management has reasonable controls in place to address those risks. The involvement of the Board in reviewing our business strategy is an integral aspect of the Board’s assessment of management’s tolerance for risk and what constitutes an appropriate level of risk. While the full Board has overall responsibility for risk oversight, the Board has delegated oversight responsibility related to certain risks to the Audit Committee. As such, the Audit Committee is responsible for reviewing our risk assessment and risk management policies. Accordingly, management regularly reports to the Audit Committee on risk management, and in turn, the Audit Committee reports on the matters discussed at the Committee level to the full Board. The Audit Committee and the full Board focus on the material risks facing us, including operational, technology and cybersecurity, reputational, market, credit, liquidity and legal risks, to assess whether management has reasonable controls in place to address these risks.

22


 

Our cybersecurity risk management and strategy processes are led by our Chief Information Officer and our Director of Cybersecurity and Infrastructure. These individuals have collectively over 40 years of professional experience in various and progressive roles across multiple, regulated industries involving developing cybersecurity strategy, implementing effective information and cybersecurity programs, managing information security infrastructure and operations, risk assessment and mitigation, and satisfactorily managing multiple industry and regulatory compliance environments. Prior to their current roles, both individuals previously held positions at other large publicly traded organizations where they were the chief stewards of cybersecurity strategy and operations.