Wendy's Co - (WEN)

10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity.

Cybersecurity Risk Management and Strategy

Wendy’s is committed to securing our information systems against cybersecurity threats and protecting the privacy and security of our customers’, employees’, franchisees’ and business partners’ information. However, as described in “Item 1A. Risk Factors—Risks Related to Technology and Cybersecurity” of this Form 10-K, we recognize that cybersecurity threats are an ongoing concern in today’s interconnected digital world and that, despite devoting considerable resources to secure our information systems, cybersecurity incidents can occur and, if so, could negatively impact our brand, business, results of operations and financial condition. Based on this recognition and taking into account experience from previous cybersecurity incidents, we have developed a comprehensive cybersecurity risk management strategy designed to identify, assess and manage potential threats to our information systems. Key components of our cybersecurity risk management strategy include the following:

CIS Controls. We design our cybersecurity risk management strategy based on the Center for Internet Security’s (“CIS”) Critical Security Controls Framework and other industry accepted standards and practices. The CIS is an internationally recognized, non-profit organization dedicated to developing controls, benchmarks and best practices for cybersecurity risk management. We conduct an annual assessment of our progress against the CIS controls to measure our performance against accepted benchmarks and identify ways to enhance our cybersecurity risk management strategy. The results of the assessment are reviewed by our Internal Audit team and shared with senior leadership and the Technology Committee of our Board of Directors.

Regular Risk Assessments. We conduct regular risk assessments to identify and assess material risks to our information systems, including as part of our enterprise risk management (“ERM”) program, which is described in more detail under “Cybersecurity Governance” below. These risk assessments involve input from key stakeholders, including those with assigned accountability for managing risk and supporting technical risk subject matter expertise, and consider a variety of factors, including our global business strategy, operations and support, information systems and data assets.

Infrastructure. We design our cybersecurity infrastructure, including firewalls, endpoint security, intrusion detection tools and identity access management systems, to provide a multi-layered approach to protecting our information systems from unauthorized access, use, disclosure, disruption, modification or destruction.

Dedicated Personnel. We have several dedicated teams of cybersecurity specialists, including teams focused on executing internal and external vulnerability and penetration assessments, designing secure systems and applications, monitoring for intrusions and providing incident response. In recent years, we have made significant investments in technology insourcing and reassumed direct ownership of certain information security related teams and functions.

Training. We have an ongoing cybersecurity training program for designated employees and contractors which addresses, among other things, our cybersecurity risk management processes, overall cybersecurity awareness and industry cybersecurity best practices. This training program includes initial onboarding training, annual refresher training and periodic awareness assessments such as email phishing campaigns to test user awareness and defend against business email compromise.

Third-Party Experts. In addition to our internal cybersecurity risk management practices, we engage third-party experts to provide independent, external assessments of our information systems and security controls. These assessments address various regulatory requirements, take into consideration internal- and external-facing information systems and include tabletop exercises and technical system reviews related to security preparedness and response capabilities.

Third-Party Service Providers. We rely on third-party service providers to support our business operations and help execute our digital, restaurant technology and enterprise technology initiatives. Our contract review and onboarding process includes assessing third-party cybersecurity risk management practices and conducting data protection impact assessments for personal data processing that may result in high risk to individuals. Annually, we also review certain third parties’ information security practices for compliance with contractual and regulatory obligations.

Incident Response Plan. We maintain an incident response plan that sets forth immediate response actions, internal and external communication protocols, stakeholder involvement based on the nature of the incident and post-incident
30


analysis processes. The incident response plan designates an incident response team that is responsible for managing and executing response activities in coordination with subject matter experts and other stakeholders in the event of an incident. The incident response plan is supplemented by detailed incident management plans that outline the technical steps to be taken in response to certain types of incidents. We regularly conduct tabletop exercises and incident response plan testing to evaluate our incident response capabilities and readiness.

Annual Strategy Review. We annually review our cybersecurity risk management strategy to ensure it addresses changes in our business operations and the evolving cybersecurity threat landscape. This includes annual reviews of our incident response plan, as well as our information security, data classification and other Company policies and standards, reports to our Board of Directors and Board committees and detailed presentations to support the annual renewal of our system cyber insurance program.

Peer Involvement. We are active in the information security community, including as a core member of the Retail and Hospitality Information Sharing and Analysis Center (“RH-ISAC”), which represents more than 200 companies across retail and other consumer-facing industries. As a member of RH-ISAC, we benefit from real-time collaboration, industry specific benchmarking, threat intelligence reports and analysis, industry-relevant committees and working groups and numerous cybersecurity training, education and knowledge sharing opportunities.

Cybersecurity Insurance. We maintain cyber risk insurance coverage that is intended to mitigate the financial impact of cybersecurity and data privacy incidents experienced by the Company and the Wendy’s system in the U.S. and Canada. There can be no assurance that our cyber insurance policies will be sufficient in scope or amount to cover the costs and expenses related to any future incidents.

Cybersecurity Governance

Role of the Board

Our Board of Directors provides oversight with respect to our risk assessment and risk management activities, including our cybersecurity risk management strategy. While our Board has primary responsibility for risk oversight, the Board’s standing committees support the Board by addressing various risks within their respective areas of responsibility.

The Audit Committee oversees our ERM program, which is designed to identify current and potential risks facing the Company and ensure that actions are taken as and when appropriate to manage and mitigate those risks. Cybersecurity risks are integrated into our ERM program, which includes an annual risk assessment, assignment of accountability for risk management and development of risk treatment strategies. We believe that evaluating cybersecurity risks alongside other business risks under our ERM program aligns our cybersecurity risk management strategy with the Company’s broader business goals and objectives. The Audit Committee receives a comprehensive ERM report from management on a semiannual basis and discusses the results with the full Board. The Board also receives a comprehensive ERM report from management on an annual basis.

The Technology Committee provides oversight with respect to our technology risk management, assessment and exposures, including cybersecurity risks. The Technology Committee receives regular updates from the Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”) regarding our cybersecurity risk management strategy, the cyber threat landscape, industry trends and other relevant cybersecurity topics. Management also provides the Technology Committee with detailed reports regarding our technology priorities and initiatives to ensure that our cybersecurity risk management strategy remains current and aligned with our overall business strategy.

Role of Management

Our CIO defines and administers our cybersecurity risk management strategy. The CIO possesses both academic and industry experience, including leading multiple global retail and technology companies through technology implementation and modernization utilizing industry best practices. Our CISO reports to the CIO and directs, coordinates, plans and organizes information security activities throughout the Company, including leading the development of our cybersecurity risk management strategy. The CISO possesses academic and industry certifications and experience in leading and managing information security programs, modernization and risk remediation work with multiple global companies, in addition to expertise in state and federal law enforcement cyber investigations. The CISO briefs the CIO regularly on current cybersecurity matters and relevant issues across the cybersecurity threat landscape. The CIO and CISO regularly report to our senior leadership team, as well as our Board of Directors and designated Board committees, regarding our cybersecurity risk
31


management strategy. The CIO and CISO are supported by several dedicated teams of cybersecurity specialists, including teams responsible for vulnerability and penetration assessments, secure design of systems and applications, intrusion detection and monitoring and incident response. In addition, the CIO and CISO coordinate with other internal teams, including Digital, Data Governance, Operations, Finance, Legal and Internal Audit, to ensure our cybersecurity risk management strategy supports the Company’s technology strategy and overall business goals.