|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 29, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Our business is substantially dependent upon our computer systems, devices and networks to collect, process and store the data necessary to conduct most aspects of our business. We have developed and maintain a cybersecurity program, which includes people, processes, and technology aimed at defending our computer systems, devices and networks against increasingly sophisticated threats.
We recognize the importance of protecting both our information and operations from threats that could disrupt our business, put our assets at risk or compromise our customer and employee data. Our cybersecurity program is implemented and maintained using information security tools, policies and a dedicated team responsible for monitoring our networks, providing training to our employees, analyzing the evolution of new threats and strategies for mitigating such threats and seeking to continually harden our cybersecurity posture. The program is periodically exercised, reviewed, updated, and vetted through third-party audits, assessments, and tests with the goal of validating its effectiveness in reducing risk, as well as evaluating its compliance with legal and regulatory requirements. We assess, identify and manage our material risks from cybersecurity threats by employing the following:
•Identification of critical systems – we seek to identify which operational or information technology, if compromised or exploited, would result in operational disruption or data compromise. We aim to protect the entire environment at an enterprise level where practical, combined with additional layered, risk-based controls designed to safeguard against cybersecurity threats. This strategic, defense-in-depth, and risk-based approach to cybersecurity provides a methodology designed to identify, protect, detect, respond, and recover from cybersecurity incidents.
•Network segmentation – we use a combination of firewalls and routers to provide network segmentation seeking to provide us with network zone protection.
•Access controls – we leverage several security capabilities to attempt to enforce access, authorization and authentication to relevant systems, technology, and controls. A least-privilege methodology is applied for localized client workstations, servers, and applications. Security capabilities for access control include physical, administrative, and technical controls that combine to provide a defense-in-depth approach designed to protect our cyber assets from unauthorized use.
•Continuous monitoring, detection, and auditing – we employ various technologies, tactics, and procedures aimed to continuously monitor, baseline, and detect threats, and audit our network and systems. In addition, we use a combination of technology tools with outside managed security service providers designed to capture, analyze and respond to security anomalies.
•Patch management – we use a network vulnerability scanning tool that continually scans, and reports identified vulnerabilities in servers and workstations in certain networks. Vulnerability scanner reports are used to drive patching and remediation efforts and are also used as a tool to evaluate the effectiveness of efforts to seek to ensure patches are applied timely. Application and infrastructure subject matter experts subscribe to various third-party vendor security notifications to receive proactive notifications on, among other things, bugs, security flaws and mitigations, related to operational and information systems.
The above cybersecurity risk management processes are integrated into our overall risk management program. Cybersecurity threats are understood to be wide reaching and to intersect with various other enterprise risks. In addition to assessing our own cybersecurity preparedness, we also consider cybersecurity risks associated with our use of third-party service providers based on the potential impact of a disruption of the services to our operations and the sensitivity of data shared with the service providers.
We regularly engage independent third parties to periodically assess our cybersecurity posture. These assessments include penetration tests, purple team activities, health checks and point-specific technical cybersecurity assessments of key systems. Some of these assessments are performed with internal audit oversight and tested in regular intervals.
Impact of Risks from Cybersecurity Threats
As of the date of this Annual Report, we are not aware of any previous cybersecurity threats, including as a result of previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us. We acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cybersecurity attack will not occur. While we devote resources to our security measures designed to protect our systems and information, no security measure is infallible. See Item 1A. Risk Factors for additional information about the risks to our business associated with a breach or other compromise to our information and operational technology systems.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|The above cybersecurity risk management processes are integrated into our overall risk management program. Cybersecurity threats are understood to be wide reaching and to intersect with various other enterprise risks.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Our Board of Directors oversees the execution of our cybersecurity strategy and the assessment of cybersecurity risks, along with the actions that we may take seeking to mitigate and address those cybersecurity risks.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|To promote transparency and informed decision-making, the CIO and cybersecurity team provide periodic updates regarding cybersecurity risks and initiatives to both our Cyber Incident Response Steering Committee and the Board of Directors.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|To promote transparency and informed decision-making, the CIO and cybersecurity team provide periodic updates regarding cybersecurity risks and initiatives to both our Cyber Incident Response Steering Committee and the Board of Directors. This ensures alignment and clarity among all stakeholders concerning our cybersecurity posture. By nurturing collaboration between our board, executive leadership, and cybersecurity professionals, we are devoted to protecting our digital assets and maintaining stakeholder trust.
|Cybersecurity Risk Role of Management [Text Block]
|The position of Chief Information Officer (CIO), which is currently vacant, leads our cybersecurity initiatives, managing a dedicated cybersecurity team focused on implementing and overseeing a robust cybersecurity program. The cybersecurity team has related academic degrees, certifications, and real-world experience in managing cybersecurity incidents and risks. The cybersecurity program emphasizes proactive prevention, detection, mitigation, and remediation of potential cybersecurity incidents. To promote transparency and informed decision-making, the CIO and cybersecurity team provide periodic updates regarding cybersecurity risks and initiatives to both our Cyber Incident Response Steering Committee and the Board of Directors. This ensures alignment and clarity among all stakeholders concerning our cybersecurity posture. By nurturing collaboration between our board, executive leadership, and cybersecurity professionals, we are devoted to protecting our digital assets and maintaining stakeholder trust. Our commitment to enhancing our cybersecurity framework equips FAT Brands to effectively address the dynamic threat landscape.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The position of Chief Information Officer (CIO), which is currently vacant, leads our cybersecurity initiatives, managing a dedicated cybersecurity team focused on implementing and overseeing a robust cybersecurity program.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The cybersecurity team has related academic degrees, certifications, and real-world experience in managing cybersecurity incidents and risks.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|To promote transparency and informed decision-making, the CIO and cybersecurity team provide periodic updates regarding cybersecurity risks and initiatives to both our Cyber Incident Response Steering Committee and the Board of Directors. This ensures alignment and clarity among all stakeholders concerning our cybersecurity posture. By nurturing collaboration between our board, executive leadership, and cybersecurity professionals, we are devoted to protecting our digital assets and maintaining stakeholder trust.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef