DOMINOS PIZZA INC - (DPZ)

10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity.

 

Cybersecurity Governance

 

The Company’s entire Board of Directors is engaged in risk management oversight, including the oversight of risks from cybersecurity threats. In accordance with the NYSE listed company rules, the Audit Committee assists the Board of Directors in its oversight of Domino’s company-wide risk management and the process established to identify, assess, measure, monitor and manage risks, including major information security and cybersecurity risks, with input from the Company’s internal committee dedicated to assessing and managing enterprise risk comprised of members of the Company’s Executive Leadership Team who report directly to our Chief Executive Officer in addition to other senior leaders within the Company (the “Enterprise Risk Committee”).

 

Cybersecurity and related matters are a recurring topic at meetings of the Audit Committee and the Company’s Executive Vice President and Chief Technology Officer (“CTO”) and Chief Information Security Officer (“CISO”) provide the Audit Committee with an update on the Company’s cybersecurity risk profile and strategy at multiple Audit Committee meetings each year. These updates include both qualitative and quantitative information on the effectiveness of the Company’s cybersecurity controls.

 

At an operational level, the Company’s cybersecurity strategy is shaped by its CISO who is ultimately responsible for implementing the Company’s cybersecurity policies, procedures and strategy under the oversight of the Enterprise Risk Committee. The Company’s CISO regularly provides updates to the Enterprise Risk Committee at relevant meetings and provides additional updates to the Company’s Chief Executive Officer, Executive Vice President and Chief Financial Officer, Executive Vice President, General Counsel and Corporate Secretary and CTO on a regular basis in between the meetings of the Enterprise Risk Committee. Such updates are designed to ensure the Enterprise Risk Committee and Company executives remain informed about and are able to monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. The Company’s CISO has multiple decades of experience in the cybersecurity and information security fields with relevant experience supplemented by undergraduate and post-graduate degrees in information technology and security and completion of additional related executive education, along with holding several industry-recognized cybersecurity certifications. The Company’s CTO supplements the expertise and experience of the CISO.

 

Under the oversight of the Enterprise Risk Committee, relevant information regarding the Company’s cybersecurity profile and any cybersecurity threats or incidents is then communicated during the regular updates to the Audit Committee in a process designed to ensure the Board of Directors and Audit Committee maintains appropriate oversight of the Company’s cybersecurity strategy and risk profile.

 

Cybersecurity Risk Management and Strategy

 

Cybersecurity is a key component of the Company’s overall risk management system, and the Company believes it has implemented robust processes that are designed to effectively manage risks from cybersecurity threats. Domino’s cybersecurity program is embedded into the Company’s enterprise risk management framework from both a resource allocation and strategic initiative perspective and is supported by an extensive catalog of layered security controls that are designed to prevent and detect internal and external security threats and safeguard privacy and personal data of customers, team members, franchisees and other business partners. Domino’s maintains this comprehensive information security program with a dedicated team that is responsible for directing, coordinating, planning and organizing information security activities throughout the Company and is led by the Company’s CISO.

 

29


 

 

The Company leverages a combination of the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Center for Internet Security (CIS) Critical Security Controls as the scale against which to assess its information security program and invest in its ability to proactively defend against security risks within its environment. Domino’s conducts annual risk assessments, both internally and through the use of third parties, to evaluate the effectiveness of its security controls and identify new threats and vulnerabilities and appropriate controls to mitigate risks and supplements these regular assessments with ongoing monitoring. Additionally, Domino’s participates in ongoing and periodic assessments of its external platform and applications to include running a responsible disclosure program to ensure that vulnerabilities that are discovered can be reported and appropriately remediated. Domino’s has been certified as compliant with the Payment Card Industry Data Security Standard (“PCI DSS”) standards and has several dedicated teams of specialists within its information security department that routinely conduct internal and external vulnerability and penetration assessments in accordance with both PCI DSS and industry accepted practices. This team keeps the Company’s management informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents and leads the Company’s processes to oversee and identify risks from cybersecurity threats associated with the Company’s use of its third-party service providers. The Company additionally has established and maintains a dedicated Security Operations Center (SOC) team that is responsible for quickly identifying and treating events that could pose risk to its technology environments and that has a documented incident response plan in place.

 

The Company, its vendors and service providers and their respective vendors and service providers face various security threats on a regular basis, including ongoing cybersecurity threats to and attacks on its and their information technology infrastructure that are intended to gain access to the Company’s proprietary information, destroy or modify data or disable, degrade or sabotage systems. Cyber incident techniques change frequently, may not immediately be recognized and can originate from a wide variety of sources, including as part of the supply-chain of software and computer code that supports the software and systems on which the Company and such parties rely. There has been an increase in the frequency, sophistication and ingenuity of the data security threats the Company and these vendors and service providers face, with attacks ranging from those common to businesses generally to those that are more advanced and persistent.

While the Company does not believe that any risks from cybersecurity threats (as defined in Item 106 of Regulation S-K), including as a result of any previous cybersecurity incidents, have to-date materially affected the Company, including its business strategy, results of operations or financial condition, the occurrence of cybersecurity incidents, or a deficiency in cybersecurity, could negatively impact the Company’s business by causing a disruption to its operations, a compromise or corruption of confidential information, or damage to the Company’s employee and business relationships, any of which could have adverse effects on the Company’s results of operations, financial condition and cash flow and harm its brand. The costs related to cyber or other security threats or disruptions may not be fully insured or indemnified by others, including by the Company’s service providers. See “Risk Factors – The occurrence of cyber incidents, or a deficiency in cybersecurity, could negatively impact our business by causing a disruption to our operations, a compromise or corruption of confidential information, or damage to our employee and business relationships, any of which could subject us to loss and harm our brand” for further information.