MONRO, INC. - (MNRO)
10-K Filing Date: May 28, 2024
Risk Management and Strategy
We execute a comprehensive cybersecurity program designed to provide structured and thorough cybersecurity risk management and governance. Our cybersecurity program is aligned with industry-wide recognized standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Our program prioritizes, among other things, prevention of unauthorized access; protection of sensitive information; detection, assessment, and response to cybersecurity threats; and continuous improvement of our cybersecurity measures. The Company has established comprehensive incident response and recovery plans, regularly tests and evaluates the effectiveness of those plans, and maintains cybersecurity risk insurance.
Our cybersecurity program has a set of controls and priorities with a multi-pronged approach that includes:
●Quarterly cybersecurity awareness training for teammates, monthly phishing simulation testing and other cybersecurity awareness campaigns (e.g., articles, flyers, cybersecurity awareness month);
●A dedicated security operations team to monitor, analyze, and respond to security threats 24/7;
● Security governance to manage and maintain security processes;
● Intrusion, detection, and prevention systems;
● A vulnerability management program to identify and remediate security liabilities;
● A configuration management program to harden systems based on industry standards;
● Industry-leading email security, endpoint detection, and response platforms;
● Threat intelligence from multiple resources to identify and anticipate emerging threats;
● Network and web application firewalls;
● Multi-factor authentication; and
● Network segmentation to isolate and safeguard critical systems and sensitive data.
The Company assesses cybersecurity risks on an ongoing basis, including assessing and deploying technical safeguards designed to protect its information systems from cybersecurity threats. We regularly evaluate new and emerging risks and ever-changing legal and compliance requirements and examine the effectiveness and maturity of our cyber defenses through various means, including internal audits, targeted testing, incident response exercises, maturity assessments, and industry benchmarking.
The Company engages with a range of external professionals, including cybersecurity experts, consultants, auditors, and legal counsel to leverage specialized knowledge, experience and insights, to help ensure our cybersecurity strategies and processes remain current. This includes:
●Engaging third-party experts to periodically advise and train our Board and management regarding the structure and oversight of our cybersecurity program, Incident Response Plan (“IRP”) and various cybersecurity-related matters;
●Retaining data security and data privacy legal counsel whose practice focuses on data breach response, information security compliance, and compliance with the data privacy laws in the various jurisdictions in which the Company operates; and
●Utilizing specialized consultants and third-party managed service providers to assist us with projects that will improve the Company’s IT infrastructure, strengthen our security posture and cybersecurity incident investigations, and improve our cyber readiness.
The Company has implemented processes to identify, prioritize, assess, mitigate and remediate risks associated with third-party service providers. As part of these processes, we conduct security assessments of critical third-party providers before engagement and contractually require third parties we engage to implement security programs commensurate with their risk.
In the event of a cybersecurity incident, a cross-functional team - led by the Senior Vice President - Chief Information Officer (our “CISO”) and Chief Legal Officer (“CLO”) - is equipped with a well-defined IRP. The IRP includes immediate actions to mitigate the impact of the incident, and long-term strategies for remediation and prevention of future incidents. Among other things, the IRP sets forth roles and responsibilities in connection with detecting, assessing, and mitigating cybersecurity incidents and outlines applicable communication and escalation protocols. The IRP includes controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents to our Chief Executive Officer and Chief Financial Officer and to the Audit Committee so that, among other things, decisions regarding public disclosure and reporting of such incidents can be made in a timely manner. The Company regularly tests and evaluates the effectiveness of the IRP and the Company’s recovery plan.
Our cybersecurity program is designed to prevent unauthorized access and protect sensitive information, with a focus on continuous improvement of our cybersecurity measures. While we have not experienced any material cybersecurity threats or incidents to date, we can give no assurance that we will be able to prevent, identify, respond to, or mitigate the impact of all cybersecurity threats or incidents. To the extent future cybersecurity threats or incidents result in significant disruptions and costs to our operations, reduce the effectiveness of our internal control over financial reporting, or otherwise substantially impact our business, it could have a material adverse effect on our business, liquidity, financial condition, and/or results of operations. For additional discussion on our cybersecurity risks, refer to Item 1A. “Risk Factors” of this Form 10-K.
Governance
Board Oversight
The Board of Directors oversees the management of risks inherent in the operation of our business, with a focus on the most significant risks that we face, including those related to cybersecurity. The Board of Directors has delegated oversight of cybersecurity, including privacy and information security, to the Audit Committee. As such, the Audit Committee is central to the Board of Directors oversight of cybersecurity risks and bears primary responsibility for this area. The Audit Committee is composed of independent directors with diverse expertise including risk management, strategic planning, finance, and accounting and controls, in addition to relevant experience of board practices of other public companies. Audit Committee members also attend both in-house and external training on cybersecurity matters which we believe equips them to oversee cybersecurity risks effectively.
Management’s Role
Our CISO has primary operational responsibility for the Company’s cybersecurity function. The CISO has served in various roles in information technology and information security for over 34 years, with eight years’ experience specifically in cybersecurity. The CISO, together with the Senior Director - Infrastructure & Security - who has 29 years’ experience in various information technology and information security roles and 10 years of cybersecurity experience - and the CLO have primary responsibility for assessing and managing material cybersecurity risks. This group, and their supporting teams, meet regularly to review security performance metrics, identify security risks, and assess the status of approved security enhancements. This group also considers and makes recommendations on security policies and procedures, security service requirements, and risk mitigation strategies.
The CISO plays a pivotal role in informing the Audit Committee on cybersecurity risks. She provides comprehensive presentations to the Audit Committee on a quarterly basis, or as needed. These presentations encompass a broad range of cybersecurity topics, which may include our cybersecurity program and governance processes; cyber risk monitoring and management; the status of projects to strengthen our cybersecurity and privacy capabilities; recent significant incidents or threats impacting our operations, industry, or third-party suppliers; and the emerging threat landscape. The Audit Committee actively participates and offers guidance in strategic decisions related to cybersecurity. This involvement helps ensure that cybersecurity considerations are integrated into our broader strategic and risk management objectives. Our CISO also meets with other senior leadership team members on a weekly basis. In addition, she meets with the Board of Directors on an annual basis, and as needed, where she reports on significant cybersecurity matters and strategic risk management decisions.