|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 29, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
We maintain a risk-based, defense-in-depth approach to cybersecurity and data protection. We assess industry best practices and standards and endeavor to leverage them in our efforts to manage cybersecurity risk. We dedicate
resources and apply security controls where we believe they would be most effective to predict, prevent, detect and respond to potential security threats to our highest value information assets, which we consider to be point-of-sale systems, financial systems and confidential, personal and private customer and employee information. We use multiple safeguards to protect our internal networks and systems, including, among others, firewalls, email protection and web filtering, endpoint detection and response software, controlled access to our data and systems, segmenting our card data environment, vulnerability management and patching, and performing regular penetration testing. A risk assessment, based on the National Institute of Standards and Technology Framework, is conducted and maintained throughout the system development lifecycle and is reviewed at least annually.
We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities, and we investigate security incidents that have impacted our third-party providers, as appropriate.
As part of our information security training program, employees and contractors participate in various cybersecurity awareness activities, including formal training exercises and simulated phishing events. We also contract with third-party cybersecurity firms to conduct simulated cyberattacks and perform regular penetration testing to assess the effectiveness of our security measures. We have also engaged with external subject matter experts to assess access management, information technology asset management and our cybersecurity policies.
We have company-wide business continuity and disaster recovery plans used to prepare for multiple events, including a potential disruption in the technology on which we rely. We maintain incident response plans and playbooks to prepare for various contingencies and types of incidents. The cybersecurity incident response plan (“IRP”) includes immediate actions to mitigate and contain the short-term impact of an incident, and long-term strategies for remediation and prevention of future incidents. The IRP also includes policies that dictate escalation procedures and remediation plans based on the severity level of an incident. As part of our IRP, we consider engaging third-party cybersecurity firms to assist in the event of a significant incident. We also conduct tabletop exercises to enhance incident response preparedness.
We, like others in our industry, experience cybersecurity incidents and attempts to access our systems. In the event we experience an incident, we classify it based on its significance and track remediation actions and outcomes. Although we do not believe we have been materially affected by cybersecurity incidents or threats in the past, or that past incidents are reasonably likely to materially affect us, we cannot provide any assurance that we will not experience a material incident in the future. As described above, we utilize a risk-based approach to manage cybersecurity risk and it is possible we may not implement appropriate controls if we do not recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate risks. See Item 1A. Risk Factors for additional discussion of our cybersecurity risks.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We maintain a risk-based, defense-in-depth approach to cybersecurity and data protection. We assess industry best practices and standards and endeavor to leverage them in our efforts to manage cybersecurity risk. We dedicateresources and apply security controls where we believe they would be most effective to predict, prevent, detect and respond to potential security threats to our highest value information assets, which we consider to be point-of-sale systems, financial systems and confidential, personal and private customer and employee information. We use multiple safeguards to protect our internal networks and systems, including, among others, firewalls, email protection and web filtering, endpoint detection and response software, controlled access to our data and systems, segmenting our card data environment, vulnerability management and patching, and performing regular penetration testing. A risk assessment, based on the National Institute of Standards and Technology Framework, is conducted and maintained throughout the system development lifecycle and is reviewed at least annually.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
Our Board of Directors (our “Board”) has charged the Audit Committee with oversight of the Company’s identification, assessment and management of cybersecurity and data privacy risks. The Audit Committee receives quarterly updates from our Chief Information Security Officer (“CISO”) and our Chief Information Officer (“CIO”) regarding our cybersecurity program and actions taken to manage cybersecurity risk, which include risk identification and management strategies, consumer data protection, security programs, ongoing risk mitigation activities and results of third-party assessments and testing.
We maintain a dedicated cybersecurity department, which consists exclusively of Company employees, within our broader information technology department. Functions within this department range from new information technology solution design and implementation, vulnerability management, phishing awareness, threat detection,
Payment Card Industry compliance and incident response. Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the CISO, who has over 25 years of experience in the field of cybersecurity, including prior service in the military in cybersecurity roles, and relevant industry certifications commensurate with his role. Our CISO reports directly to the CIO who has over 20 years of technology leadership experience in various industries.
Our CIO receives status reports from our cybersecurity department regularly and reports to our Chief Executive Officer, who receives updates on incidents, trends, projects and other relevant information regularly. In addition, as part of our incident response planning, we maintain cross-functional response teams to be prepared to respond to an incident.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board of Directors (our “Board”) has charged the Audit Committee with oversight of the Company’s identification, assessment and management of cybersecurity and data privacy risks.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
We maintain a dedicated cybersecurity department, which consists exclusively of Company employees, within our broader information technology department. Functions within this department range from new information technology solution design and implementation, vulnerability management, phishing awareness, threat detection,Payment Card Industry compliance and incident response.
|Cybersecurity Risk Role of Management [Text Block]
|Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the CISO, who has over 25 years of experience in the field of cybersecurity, including prior service in the military in cybersecurity roles, and relevant industry certifications commensurate with his role. Our CISO reports directly to the CIO who has over 20 years of technology leadership experience in various industries.
Our CIO receives status reports from our cybersecurity department regularly and reports to our Chief Executive Officer, who receives updates on incidents, trends, projects and other relevant information regularly. In addition, as part of our incident response planning, we maintain cross-functional response teams to be prepared to respond to an incident.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our Board of Directors (our “Board”) has charged the Audit Committee with oversight of the Company’s identification, assessment and management of cybersecurity and data privacy risks.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the CISO, who has over 25 years of experience in the field of cybersecurity, including prior service in the military in cybersecurity roles, and relevant industry certifications commensurate with his role. Our CISO reports directly to the CIO who has over 20 years of technology leadership experience in various industries.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our CISO reports directly to the CIO who has over 20 years of technology leadership experience in various industries.
Our CIO receives status reports from our cybersecurity department regularly and reports to our Chief Executive Officer, who receives updates on incidents, trends, projects and other relevant information regularly. In addition, as part of our incident response planning, we maintain cross-functional response teams to be prepared to respond to an incident.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef