Chefs' Warehouse, Inc. - (CHEF)

10-K Filing Date: February 27, 2024
Item 1C. CYBERSECURITY

Cybersecurity Risk Management and Strategy

As part of our cybersecurity process, we engage external auditors and consultants to assess our cybersecurity program and compliance with applicable practices and standards. To identify and manage the material risks of cybersecurity threats to our business, operations and control environments, we have made significant investments in our technology and have implemented policies, programs and controls, with a focus on cybersecurity incident prevention and mitigation. Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed by third-party auditors and consultants, as well as our internal Information Technology and Legal teams, to ensure compliance with applicable practices and standards.

We mitigate risks from cybersecurity incidents using a multi-faceted approach that includes, but is not limited to: establishing information security policies and standards, implementing information protection processes and technologies, assessing cybersecurity risk through vulnerability assessments and audits on an annual basis, reviewing newly developed cybersecurity standards or legislation, implementing cybersecurity training, monitoring our information technology systems for cybersecurity threats and collaborating with public and private organizations on best practices. .

We did not experience a material cybersecurity incident during the fiscal year ended December 29, 2023. For more information on risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, see “Information technology system failures, cybersecurity incidents or other disruptions to our use of technology and networks could interrupt our operations and adversely affect our business” included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K.

Cybersecurity Governance

Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. Our board of directors is engaged in overseeing and reviewing the Company’s strategic direction and objectives, including the Company’s risk profile and exposures as they relate to cybersecurity, conducting reviews of policies regarding risk assessment and risk management and major risk exposures, as well as evaluations of risks from potential or actual cybersecurity threats. Our Chief Information Officer, Vice President of Infrastructure, and Security Administrator have responsibility of cybersecurity oversight of the Company and each have 12, 15, and 6 years of cybersecurity experience, respectively. The Security Administrator reports to the Vice President of Infrastructure, who in turn reports to the Chief Information Officer. Members of the Board receive regular quarterly cybersecurity updates from our Chief Information Officer, including updates on existing and new cybersecurity risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives.
29