Sprouts Farmers Market, Inc. - (SFM)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity

We believe cybersecurity is of critical importance to our success. We are susceptible to a number of significant and persistent cybersecurity threats, including those common to most industries as well as those we face as a retailer, operating in an industry characterized by a high volume of customer transactions and collection of sensitive data. These threats, which are constantly evolving, include data breaches, ransomware, and phishing attacks. We, and our vendors and suppliers, regularly face attempts by malicious actors to breach our security and compromise our information technology systems, and a cybersecurity incident impacting us or any vendor or supplier could significantly disrupt our operations and result in damage to our reputation, costly litigation and/or government enforcement action. Accordingly, we are committed to maintaining robust cybersecurity and data protection and continuously evaluate the impact of cybersecurity threats, considering both immediate and potential long-term effects of these threats on our business strategy, operations, and financial condition.

Under the oversight of our Board of Directors, and the Board’s risk committee, our management has established comprehensive processes for identifying, assessing and managing material risks from cybersecurity threats, and these processes are integrated into our overall enterprise risk management program. Our approach is proactive and adaptive, featuring regular security assessments, third-party audits, team member training, and continuous improvement of our cybersecurity infrastructure. We work to align our practices with industry best practices and regulatory standards. Our processes include detailed response procedures to be followed in the event of a cybersecurity incident, which outline steps to be followed from detection to assessment to notification and recovery, including internal notifications to management, the risk committee and the Board, as appropriate.

The risk committee of our Board is primarily responsible for oversight of risks, including those from cybersecurity threats, and is currently chaired by a director with extensive functional expertise in cybersecurity matters. Members of management, including our Chief Technology Officer, provide the risk committee updates on cybersecurity risk matters on a quarterly basis and more frequently if circumstances dictate. In these updates, members of the risk committee are apprised of cybersecurity incidents that are deemed to have had a moderate or higher impact even if immaterial to us. In addition, the risk committee reviews and actively discusses with management and among themselves the risks related to cybersecurity and critical systems in order to provide input on the appropriate level of risk for our company and reviews management’s strategies for adequately mitigating and managing the identified risks. The risk committee and management regularly update our full Board with respect to cybersecurity matters.

Our Chief Technology Officer is primarily responsible for managing material risks from cybersecurity threats, and is supported by our Vice President of Information Technology, Operations and Security, along with a dedicated team of internal cybersecurity specialists. The Information Technology leaders participate in periodic training and education on cybersecurity related topics, while members of our internal security team also maintain industry certifications, such as Certified Information Systems Security Professional (CISSP). Our current Chief Technology Officer has more than 35 years of experience in information technology. Our Chief Technology Officer is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from the internal team. We also engage specialized cybersecurity consultants and leverage third-party expertise to bolster our cybersecurity defenses. Our enterprise risk management program is designed to identify, prioritize and assess a broad range of risks, including risks from cybersecurity threats, that may affect our ability to execute our corporate strategy and fulfill our business objectives. Our Vice President of Risk Management oversees this program and works with our information technology leadership team to formulate plans to mitigate the effects of risks from cybersecurity threats. In addition, we have an escalation process in place to inform senior management and the Board of Directors of material issues.

 

30


In addition, our third-party vendors and service providers play a role in our cybersecurity. These third parties are integral to our operations but pose cybersecurity challenges due to their access to our data and our reliance for various aspects of our operations, including our supply chain. We have developed a third-party vendor risk management program to assess and manage the risks associated with third-party partnerships, particularly in data security and cybersecurity. We conduct due diligence before onboarding new vendors and maintain ongoing evaluations to ensure compliance with our security standards.

As of the date of this report, no cybersecurity incidents have had, either individually or in the aggregate, a material adverse effect on our business, financial condition or results of operations. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cyber risk insurance, the costs relating to certain kinds of security incidents could be substantial, and our insurance may not be sufficient to cover all losses related to any future incidents involving our data or systems.

See Item 1A. “Risk Factors – Disruptions to, security breaches or non-compliance involving, our information technology systems could harm our ability to run our business and expose us to potential liability and loss of revenues.” for a discussion of cybersecurity risks that may materially impact us.

 

31