CHIPOTLE MEXICAN GRILL INC - (CMG)

10-K Filing Date: February 07, 2024
ITEM 1C. CYBERSECURITY

Cybersecurity Risk Management and Strategy

As a global company, we are regularly subject to cyberattacks and other cybersecurity incidents. In response, we have implemented cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage cybersecurity risks. Our enterprise risk management framework considers cybersecurity risk alongside other company risks as part of our overall risk assessment process. Our enterprise risk management team collaborates with our Information Security function, led by our Chief Information Security Officer (“CISO”) and our Chief Customer and Technology Officer (“CCTO”), to gather insights for assessing, identifying and managing cybersecurity threat risks, their severity, and potential mitigations. We also are a member of an industry cybersecurity intelligence and risk sharing organization to stay abreast of changes in the cybersecurity environment.

We assess Chipotle’s Information Security program using an industry cybersecurity framework from the National Institute of Standards and Technology. This program includes policies, processes and procedures that help assess and identify our cybersecurity risks and inform how security measures and controls are developed, implemented and maintained. The risk assessment along with risk-based analysis and judgment are used to select security controls to address risks. During this process, the following factors, among others, are considered: likelihood and severity of risk, impact on the Company and others if a risk materializes, feasibility and cost of controls and impact of controls on operations.

We maintain internal resources to perform penetration testing designed to simulate evolving tactics and techniques of real-world threat actors, engage with industry partners and law enforcement and intelligence communities and conduct tabletop exercises and periodic risk interviews across our business. We also engage an independent third party to perform internal and external penetration testing of Chipotle's information security environment periodically and engage other third parties to periodically conduct assessments of our cybersecurity capabilities. In addition, we continue to expand training and awareness practices to mitigate risk from human error, including mandatory computer-based training and internal communications for employees. Our employees undergo cybersecurity awareness training and regular phishing awareness campaigns that are based upon and designed to emulate real-world contemporary threats. We provide prompt feedback (and, if necessary, additional training or remedial action) based on the results of such exercises.

 

19


 

Our processes also address cybersecurity risks associated with our use of third-party service providers including suppliers, software and cloud-based service providers, as well as third-party security firms used in different capacities to provide or operate some of our cybersecurity controls and technology systems. We proactively evaluate the cybersecurity risk of a third party by utilizing a repository of risk assessments, external monitoring sources, threat intelligence and predictive analytics to better inform Chipotle during contracting and vendor selection processes. Additionally, when third party risks are identified, we require those third parties to agree by contract to implement appropriate security controls. Security issues are documented and tracked, and periodic monitoring of third parties is conducted in an effort to mitigate risk.

In addition to the processes, technologies, and controls that we have in place to reduce the likelihood of a material cybersecurity incident (or series of related cybersecurity incidents), Chipotle has a written incident response plan outlining how to address cybersecurity events that occur. The plan sets forth the steps for coordination among various corporate functions and governance groups and serves as a framework for the execution of responsibilities across businesses and operational roles. Our incident response plan is designed to help us coordinate actions to prepare for, detect, respond to and recover from cybersecurity incidents, and includes processes to triage, assess severity, escalate, contain, investigate, and remediate the incident, as well as to assess the need for disclosure, comply with applicable legal obligations and mitigate the impact to our brand and reputation and on impacted parties. We also maintain insurance coverage that, subject to its terms and conditions, is intended to help us cover certain costs associated with cybersecurity incidents and information system failures.

In addition to our cybersecurity incident response plan, we conduct tabletop exercises to enhance our incident response preparedness. We maintain business continuity and disaster recovery plans to prepare for and respond to the potential for a disruption in the technology we rely on.

Chipotle (or the third parties it relies on) may not be able to fully, continuously, or effectively implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine whether and how to implement certain security controls and it is possible that we may not implement the necessary controls if we are unable to recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate cybersecurity risks. Cybersecurity events, when detected by security tools or third parties, may not always be identified immediately or addressed in the manner intended by our cybersecurity incident response plan.

Impact of cybersecurity risks on business strategy, results of operations or financial condition

Based on the information available as of the date of this Annual Report, we have no reason to believe any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. For additional information, see “Risks Related to Cybersecurity, Data Privacy and IT Systems,” in Item 1A, “Risk Factors” in this Annual Report.

Cybersecurity Governance

Our cybersecurity risk management and strategy processes are led by our CISO and our CCTO. These individuals have collectively over 50 years of professional experience in various roles across multiple industries involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and managing multiple industry and regulatory compliance environments. Both individuals previously held positions similar to their current roles at other large publicly traded organizations.

Cybersecurity is an important part of our risk management processes and an area of focus for our Board of Directors (the “Board”) and management. Although cybersecurity risk oversight continues to remain a top priority for the Board, the Audit and Risk Committee of our Board has primary oversight responsibility for the Company’s cybersecurity and other technology risks. The Committee regularly reviews and discusses with our CISO and our CCTO the Company’s cybersecurity, privacy and data security programs, the status of projects to strengthen internal cybersecurity, results from third-party assessments, and any significant cybersecurity incidents, including recent incidents at other companies and the emerging threat landscape. The Committee also reviews with management the implementation and effectiveness of the Company’s controls to monitor and mitigate cybersecurity risks. In addition, our Board receives an annual report and quarterly written updates regarding our cybersecurity program.