YUM BRANDS INC - (YUM)
10-K Filing Date: February 20, 2024
Item 1C.
Cybersecurity.
Cybersecurity Risk Management Program
Information security and data privacy have been and remain of the utmost importance to the Company in light of the value we place on maintaining the trust and confidence of our consumers, employees and other stakeholders.
We have a risk-based cybersecurity risk management program (the “Program”) in place designed to assess, identify and manage material risks from cybersecurity threats. The Program falls under the oversight of our Chief Information Security Officer (“CISO”) and defines controls for access management, data protection and vulnerability detection, in addition to incident response protocols which are discussed further in the “Governance” section herein. The Program incorporates customized elements from industry-leading standards to drive robust and comprehensive protection.
To supplement our own internal processes and controls, we regularly engage consultants and other third parties as part of our Program, including to periodically:
•Test our information security defenses and to perform external penetration assessments;
•Review and assess the Program and its maturity; and
•Advise our Board of Directors and management regarding the structure and oversight of the program, incident response services and various cybersecurity related matters
We also have processes to oversee and identify material cybersecurity risks associated with our use of third-party service providers and their information systems. As part of these processes, we conduct cybersecurity due diligence around significant third-party service providers who access our information technology systems before their engagement. We require third-party service providers to promptly notify us of any actual or suspected breach impacting our data or operations. Additionally, we obtain System and Organization Controls (“SOC”) 1 or SOC 2 reports on an annual basis from vendors that host our significant financial applications to aid in our assessment of information security risk associated with our relationship with the host vendor. If a host vendor is not able to provide a SOC 1 or SOC 2 report, we take additional steps to assess information security risk associated with the relationship.
Over 98% of our restaurants are owned and operated by franchisees who themselves are at risk of cyber-attacks or security incidents. There is limited direct connectivity between the Company’s network and the networks on which our franchisees operate. We have established minimum information security standards for our franchisees, which are in process of being adopted.
Despite the security measures implemented as part of our Program, the current cyber threat environment presents increased risks for all companies, and we are a frequent target of cyber-attacks and have experienced security incidents. For example, on January 18, 2023, the Company announced a ransomware attack that impacted certain Information Technology (“IT”) systems. This incident resulted in the closure of fewer than 300 restaurants in one market for one day, and certain of the Company’s IT systems and data were affected. In addition, although data was taken from our network, the affected data was limited to certain personal information of former and current employees, and we have no evidence that customer databases were accessed.
We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter. In addition, several separate putative class actions have been filed in U.S. federal and state court by current and/or former employees alleging violations of privacy and other rights in connection with the ransomware incident.
We do not believe that any risks we have identified to date from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. For additional information regarding the risks to us associated with cybersecurity incidents, see Item 1A. “Risk Factors”.
24
Governance
The Company’s cybersecurity risk management processes are integrated into the Company’s overall risk management processes. The Board of Directors has overall responsibility for the oversight of the Company’s risk management and has delegated the oversight of specific risk-related responsibilities to certain Board committees. The Audit Committee oversees the Company’s business and financial technology risk exposure, which includes data privacy and data protection, information security and cybersecurity, as well as the controls in place to monitor and mitigate these risks.
At a management level, our Program is led by our CISO, who reports to the Company’s Chief Digital and Technology Officer. Our CISO has expertise in cybersecurity risk management through, among other things, his past service in information security roles at the Company, prior IT and security leadership positions at other public companies, and certain technology and information security matters certifications. Additionally, we have a formal data privacy management committee made up of privacy professionals, operational experts and specialist legal counsel which is overseen by our Chief Legal Officer.
We have a Data Incident Response Plan (“the Plan”) which provides for controls and procedures in connection with cybersecurity events including escalation procedures as summarized below. Under the Plan, we have established a Data Incident Response Team (the “Response Team”), a cross-functional group comprised of certain members of senior management, including our Chief Legal Officer and CISO. The Plan provides that the Response Team is responsible for assessing, investigating and responding to any cybersecurity event elevated for its consideration by our CISO.
In addition, under the Plan, we have established a cross-functional management group comprised of our Chief Legal Officer, Chief Financial Officer, Vice President Internal Audit, Vice President Compliance, Senior Vice President Finance & Corporate Controller and CISO. The Plan provides that any cybersecurity incident that is elevated for the review of the Response Team will also be reviewed by this group to determine whether any such incident is material for securities laws purposes and whether public disclosure is required or advisable in connection therewith, following any necessary consultation with the Company’s senior management, Disclosure Committee, Audit Committee and/or Board of Directors.
Our CISO and Chief Digital and Technology Officer advise the Audit Committee at least four times a year, and the Board of Directors regularly, on our management and oversight of information security risks, including data privacy and data protection risks. The Audit Committee also receives periodic updates on data privacy from members of management within our data privacy group in addition to the regular updates from our CISO. The Audit Committee provides a summary to the full Board at each regular Board meeting of the information security risk review together with any other risk related subjects discussed at the Audit Committee meeting.