Dutch Bros Inc. - (BROS)
10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We rely on information technology networks and systems and data processing to manage a variety of business processes and activities, including, without limitation, to process customer payments and conduct our marketing efforts. We have implemented and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic, or competitive in nature, and customer data.
We utilize certain third-party service providers to perform a variety of functions, such as to outsource certain business critical functions, to augment staff for after-hours support, to help track chain of custody for physical PCI devices for our shops, application providers, hosting companies, distributors, supply chain resources, property management, cloud-based infrastructure, data center facilities, encryption and authentication technology, corporate productivity services, and other functions. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, for certain service providers, our vendor management process may include reviewing the cybersecurity practices of certain providers, contractually imposing obligations on certain providers related to the services they provide and/or the information they process, conducting security assessments, requiring providers to complete written questionnaires regarding their services and data handling practices, conducting periodic re-assessments during their engagement, using a third party vendor management security company to provide certain ongoing monitoring, or annually collect certain information security-related compliance documentation and reports.
Risks from cybersecurity threats are among those that we address in the Company’s general risk management program. As part of our overall risk management processes, the Company maintains various policies related to information security, including an Incident Response Policy and a Cybersecurity Incident Reporting Policy. We identify cybersecurity threats as part of our risk management processes, including (depending on the environment or systems) through internal monitoring, monitoring the threat environment using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environments, evaluating our and our industry’s risk profile, evaluating threats reported to us, conducting threat assessments for internal and external threats, and conducting vulnerability assessments to identify vulnerabilities. Our information technology team is responsible for identifying, assessing, and managing the Company’s cybersecurity threats and risks under the oversight of our Chief Technology Officer. This team works with third parties from time to time to help identify, assess, and manage cybersecurity risks, including professional services firms and other vendors.
Based on our assessment process, we implement and maintain various technical, physical, and organizational measures designed to manage and mitigate cybersecurity risks and potential material impacts. Depending on the environment or systems, we implement measures designed to prevent, detect, respond to, mitigate, and recover from identified and significant cybersecurity threats. The risk management and reduction measures we implement for certain of our environments or systems include: policies and procedures designed to address cybersecurity threats, including an incident response policy, acceptable use policy, and vulnerability management policy; internal and/or external audits of some environments to assess our exposure to cybersecurity threats, environment, compliance with risk mitigation procedures, and effectiveness of relevant controls; documented risk assessments; encryption of certain data; network security controls in certain systems; physical and electronic access controls in certain environments; asset management, tracking and disposal; systems monitoring of certain systems; employee security training; penetration testing of certain environments; and maintaining cyber insurance; and a dedicated cybersecurity officer.
Dutch Bros Inc.| Form 10-K | 61
Our business, results of operations, or financial condition could be materially affected as a result of such risks, due to: the cost of and modification of business activities related to prevention or incident response; potential system failure, data loss, fraud or theft, or other material adverse consequences; disruptions, including in operations, due to potential delays in remediation of high risk or critical vulnerabilities; costs of notices and other disclosures that may be required by applicable data privacy and security obligations; or our inability to recover such costs under insurance policies or contractual rights. See "Risks Related to Our Business" in Item 1A, Risk Factors for more information.
Governance
The Audit and Risk Committee of the board of directors is responsible for oversight of the Company’s processes and policies for enterprise risk identification, management, and assessment, including key risks around data privacy, technology, and information security. Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Chief Technology Officer (CTO), Leigh Gower, who has more than 20 years of experience in the information technology field, including work in cybersecurity risk management. Prior to serving the Company, our CTO gained cybersecurity experience serving as Vice President, Technology at Blue Nile, as Senior Director, Product & Technology at T-Mobile, and as Management Consultant at Slalom Consulting.
Our CTO is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our CTO and her team are responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
Our cybersecurity incident response processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including reporting certain incidents to a cross-functional group responsible for making ongoing assessments of reported incidents, led by our Chief Legal Officer and Chief Technology Officer, and includes members of our standing Disclosure Committee. The Chief Legal Officer is responsible for informing the Audit and Risk Committee regarding the Company’s significant cybersecurity threats and risk and meets with the Audit and Risk Committee at periodic or special meetings to review and discuss issues. Our Chief Legal Officer oversees an annual enterprise risk assessment that addresses certain applicable cybersecurity risks, the results of which are presented to the Audit and Risk Committee. We engage a third party consulting firm to assist with the annual enterprise risk assessment. Our Chief Legal Officer works with the Board, senior management, others at various levels of the organization, and our outside advisors to help identify, assess, and validate the Company’s top risks, taking into account past risk mitigation activities and future plans. Under our Cybersecurity Incident Reporting Policy, the Chief Legal Officer is also responsible for communicating to the Audit and Risk Committee the activities of the Company related to the assessments and reporting of potentially significant cybersecurity incidents.
Dutch Bros Inc.| Form 10-K | 62