|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 28, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
We invest in a comprehensive cybersecurity program that applies a recognized framework, utilizes industry standard tools, relies on expert partners, connects associates across the organization and leverages communication to protect our systems and our data.
Our cybersecurity program is designed to protect the confidentiality, integrity and availability of critical assets and information, using a proactive and risk-based approach. We utilize the National Institute of Standards and Technology (“NIST”) Cyber Security Framework and regularly reassess our cybersecurity program. The NIST framework is structured around five commonly defined stages (Identify, Protect, Detect, Recover and Respond) and is a comprehensive approach to information and cybersecurity risk management. Our policies, including our Information Security Policy and Privacy Policy, and procedures are designed to align with industry best practices and comply with regulatory requirements. We align our payment processing policies and procedures with industry security standards, including the Payment Card Industry Data Security Standard. Throughout the year, we conduct targeted audits and assessments, using internal and external resources, of certain aspects of our information security systems. We have developed and implemented a comprehensive program designed to protect the confidentiality of sensitive information, ensure the integrity of critical data and automated processes, and safeguard the availability of our information technology capabilities.
Moreover, we have implemented appropriate policies, processes, and technology to reduce the likelihood or impact of a breach, either at US Foods or through any third-party service provider, and have appropriate cyber insurance coverage through a standalone cyber policy. Our comprehensive cybersecurity program leverages technology, third-party expertise and trained personnel to provide whole-enterprise governance, collaboration for 24-hour monitoring, threat detection and incident response (whether an incident were to occur at US Foods or involving a third-party provider) and network, cloud and mobile security. We partner with security firms to manage our security incident and event management, identify external threats, perform penetration testing, complete security assessments and support incident response. These relationships are evaluated and benchmarked regularly to ensure quality resourcing to augment our internal staff and provide insight into emerging risks inside and outside the foodservice industry. Information obtained from these processes is shared directly with our Internal Audit and Legal functions to ensure cybersecurity policies, processes, threat detection and incident response are accurately captured as part of our broader enterprise risk management systems and processes. We have developed and continually evolve our privacy and security policies to promote organizational accountability for privacy, data governance, and data protection across our business and with our collaborative partners and suppliers.
In addition, we have an employee awareness program to regularly educate our workforce on the cybersecurity risks they face and how they can operate safely. We provide all associates that have network access with annual data-security training. Our training and education programs include specialized training for associates handling confidential information, associates with privileged access, executive specific training, general information security awareness training, periodic anti-phishing campaigns, one-click email-enabled phish alert reporting functionality and advisory emails on emerging threats.To date, we have not experienced any cybersecurity incidents that materially affected or were reasonably likely to materially affect our business strategy, results of operations or financial condition.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We invest in a comprehensive cybersecurity program that applies a recognized framework, utilizes industry standard tools, relies on expert partners, connects associates across the organization and leverages communication to protect our systems and our data.
Our cybersecurity program is designed to protect the confidentiality, integrity and availability of critical assets and information, using a proactive and risk-based approach. We utilize the National Institute of Standards and Technology (“NIST”) Cyber Security Framework and regularly reassess our cybersecurity program. The NIST framework is structured around five commonly defined stages (Identify, Protect, Detect, Recover and Respond) and is a comprehensive approach to information and cybersecurity risk management. Our policies, including our Information Security Policy and Privacy Policy, and procedures are designed to align with industry best practices and comply with regulatory requirements. We align our payment processing policies and procedures with industry security standards, including the Payment Card Industry Data Security Standard. Throughout the year, we conduct targeted audits and assessments, using internal and external resources, of certain aspects of our information security systems. We have developed and implemented a comprehensive program designed to protect the confidentiality of sensitive information, ensure the integrity of critical data and automated processes, and safeguard the availability of our information technology capabilities.
Moreover, we have implemented appropriate policies, processes, and technology to reduce the likelihood or impact of a breach, either at US Foods or through any third-party service provider, and have appropriate cyber insurance coverage through a standalone cyber policy. Our comprehensive cybersecurity program leverages technology, third-party expertise and trained personnel to provide whole-enterprise governance, collaboration for 24-hour monitoring, threat detection and incident response (whether an incident were to occur at US Foods or involving a third-party provider) and network, cloud and mobile security. We partner with security firms to manage our security incident and event management, identify external threats, perform penetration testing, complete security assessments and support incident response. These relationships are evaluated and benchmarked regularly to ensure quality resourcing to augment our internal staff and provide insight into emerging risks inside and outside the foodservice industry. Information obtained from these processes is shared directly with our Internal Audit and Legal functions to ensure cybersecurity policies, processes, threat detection and incident response are accurately captured as part of our broader enterprise risk management systems and processes. We have developed and continually evolve our privacy and security policies to promote organizational accountability for privacy, data governance, and data protection across our business and with our collaborative partners and suppliers.
In addition, we have an employee awareness program to regularly educate our workforce on the cybersecurity risks they face and how they can operate safely. We provide all associates that have network access with annual data-security training. Our training and education programs include specialized training for associates handling confidential information, associates with privileged access, executive specific training, general information security awareness training, periodic anti-phishing campaigns, one-click email-enabled phish alert reporting functionality and advisory emails on emerging threats.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Under the oversight of the Audit Committee of our Board of Directors, our cybersecurity function is managed by our Technology and Innovation team, led by our Senior Vice President, Chief Information Security Officer, Sara Schmidt, with support from the Internal Audit and Legal functions. Ms. Schmidt has served in the role since 2022. Before joining US Foods, Ms. Schmidt served as Chief Information Security Officer for Farmers Insurance, a national insurance company, from 2019 to 2022, and various other positions from 2015 to 2019. Ms. Schmidt began her career as a cryptography analyst with the National Security Agency (“NSA”), learning best practices and tactics to be an effective hacker and defender. After eight years with the NSA, she transitioned into the private sector, joining Perrigo Company from 2011 to 2015, before joining Farmers Insurance.
Ms. Schmidt and other members of Company management provide an annual cybersecurity report to our Board of Directors and quarterly reports to our Audit Committee, which reports include a review of potential threats and vulnerabilities.
We are aware that we must continuously evolve our controls to address new threats, adhere to changing laws and standards, and reduce the risk associated with the introduction of new, innovative technology. While all of our employees play a part in information security, cybersecurity, and data privacy, oversight responsibility is shared by the Board, its committees, and management, as further highlighted below.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Under the oversight of the Audit Committee of our Board of Directors, our cybersecurity function is managed by our Technology and Innovation team, led by our Senior Vice President, Chief Information Security Officer, Sara Schmidt, with support from the Internal Audit and Legal functions.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Ms. Schmidt and other members of Company management provide an annual cybersecurity report to our Board of Directors and quarterly reports to our Audit Committee, which reports include a review of potential threats and vulnerabilities.
We are aware that we must continuously evolve our controls to address new threats, adhere to changing laws and standards, and reduce the risk associated with the introduction of new, innovative technology. While all of our employees play a part in information security, cybersecurity, and data privacy, oversight responsibility is shared by the Board, its committees, and management, as further highlighted below.
|Cybersecurity Risk Role of Management [Text Block]
|
Under the oversight of the Audit Committee of our Board of Directors, our cybersecurity function is managed by our Technology and Innovation team, led by our Senior Vice President, Chief Information Security Officer, Sara Schmidt, with support from the Internal Audit and Legal functions. Ms. Schmidt has served in the role since 2022. Before joining US Foods, Ms. Schmidt served as Chief Information Security Officer for Farmers Insurance, a national insurance company, from 2019 to 2022, and various other positions from 2015 to 2019. Ms. Schmidt began her career as a cryptography analyst with the National Security Agency (“NSA”), learning best practices and tactics to be an effective hacker and defender. After eight years with the NSA, she transitioned into the private sector, joining Perrigo Company from 2011 to 2015, before joining Farmers Insurance.
Ms. Schmidt and other members of Company management provide an annual cybersecurity report to our Board of Directors and quarterly reports to our Audit Committee, which reports include a review of potential threats and vulnerabilities.
We are aware that we must continuously evolve our controls to address new threats, adhere to changing laws and standards, and reduce the risk associated with the introduction of new, innovative technology. While all of our employees play a part in information security, cybersecurity, and data privacy, oversight responsibility is shared by the Board, its committees, and management, as further highlighted below.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Under the oversight of the Audit Committee of our Board of Directors, our cybersecurity function is managed by our Technology and Innovation team, led by our Senior Vice President, Chief Information Security Officer, Sara Schmidt, with support from the Internal Audit and Legal functions.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Ms. Schmidt has served in the role since 2022. Before joining US Foods, Ms. Schmidt served as Chief Information Security Officer for Farmers Insurance, a national insurance company, from 2019 to 2022, and various other positions from 2015 to 2019. Ms. Schmidt began her career as a cryptography analyst with the National Security Agency (“NSA”), learning best practices and tactics to be an effective hacker and defender. After eight years with the NSA, she transitioned into the private sector, joining Perrigo Company from 2011 to 2015, before joining Farmers Insurance.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Under the oversight of the Audit Committee of our Board of Directors, our cybersecurity function is managed by our Technology and Innovation team, led by our Senior Vice President, Chief Information Security Officer, Sara Schmidt, with support from the Internal Audit and Legal functions. Ms. Schmidt has served in the role since 2022. Before joining US Foods, Ms. Schmidt served as Chief Information Security Officer for Farmers Insurance, a national insurance company, from 2019 to 2022, and various other positions from 2015 to 2019. Ms. Schmidt began her career as a cryptography analyst with the National Security Agency (“NSA”), learning best practices and tactics to be an effective hacker and defender. After eight years with the NSA, she transitioned into the private sector, joining Perrigo Company from 2011 to 2015, before joining Farmers Insurance.
Ms. Schmidt and other members of Company management provide an annual cybersecurity report to our Board of Directors and quarterly reports to our Audit Committee, which reports include a review of potential threats and vulnerabilities.
We are aware that we must continuously evolve our controls to address new threats, adhere to changing laws and standards, and reduce the risk associated with the introduction of new, innovative technology. While all of our employees play a part in information security, cybersecurity, and data privacy, oversight responsibility is shared by the Board, its committees, and management, as further highlighted below.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef