|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Dec. 29, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cyber Security.
Management policies and procedures
We recognize the need to protect our data, systems and technology. We have described related risks in Item 1A under the heading “Risks Related to our Technology and Data.” We have previously assessed and periodically measure our security maturity using the US National Institute of Standards and Technology Cybersecurity Framework. (“NIST CSF”) supported by other internal and third-party assessments. Gaps or perceived weaknesses in our NIST CSF score are highlighted to our Cybersecurity Risk Committee and subsequently to the Board of Directors. A reassessment of our maturity using NIST CSF was carried out in the early part of 2024, demonstrating ongoing improvement. These assessments allow us to prioritize investment into those areas which provide the greatest improvement in the CSF scoring and by implication, our ability to identify, protect, detect, respond and recover from information and cybersecurity incidents. Risks are recorded in OneTrust and are formally assessed monthly, considering likelihood and potential impact and mitigating actions are implemented where possible to reduce identified risks. Controls designed to reduce or eliminate risk are designed into our technology, processes and management of third parties. We conduct regular vulnerability scanning and use a third party for regular penetration testing designed to help us identify new weaknesses or vulnerabilities. In addition, we use the same third party to help us conduct cybersecurity incident simulation which is subsequently used to inform updates to our Cybersecurity Incident Response Plan. We also have procedures designed to assess risks related to the use of third-party suppliers.
In the previous 12 months, we have not identified any risks from cybersecurity threats, including those from any previous cybersecurity incidents, that have materially affected us, our business strategy, results of operation or financial condition. For additional information about the cybersecurity risks we face, see the risk factors entitled, “A cybersecurity attack, ‘data breach’ or other security incident experienced by us or our third-party service providers may result in negative publicity, claims, investigations and litigation and adversely affect our business, results of operations and financial condition,” and “If we fail to properly maintain the confidentiality and integrity of our data, including member and customer credit or debit card and bank account information and other PII, or if we fail to comply with applicable laws, rules, regulations, industry standards and contractual obligations relating to data privacy, protection and security, it may adversely affect our reputation, business and operations,” in Item 1A Risk Factors.
Governance
We have implemented a governance program which facilitates senior management oversight of cybersecurity risk management. An operational risk group comprising senior SHCO Cyber Risk and third-party Cyber Risk professionals together with the IT Infrastructure lead meet monthly to review emerging risks, progress with mitigation of identified risk and prioritization of risk reduction activities. The output from this group is shared quarterly with the Cyber Security Risk Committee (“CSRC”) a Board
Sub-Committee which comprises the Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Technology Officer (CTO), Chief Legal Officer (CLO) and Director of Information Security. The CSRC is responsible for reviewing the top strategic cyber risks, progress against cyber maturity improvement and recommending funding and resource requirements. The CSRC reports twice per year to the Audit Committee. The CSRC is also the body that collectively assesses materiality in the event of a cybersecurity incident and meets as required for this purpose.
Management’s role and relevant experience in assessing and managing cybersecurity
The NIST CSF is used to assess cybersecurity maturity. An initial baseline assessment has been used to inform our Cybersecurity Strategy and periodic assessments are used to update the NIST CSF scoring. These assessments are carried out by an independent third party to provide appropriate objectivity and challenge. In addition, we are progressing towards certification to the international information security management standard - ISO27001 and the related standard ISO27701 for privacy information management. Execution of our cybersecurity strategy is overseen by our Director of Information Security who is a qualified CSIM, CISA and a Fellow of the UK Chartered Institute of Information Security and has over 30 years of experience in cyber security. The Director of Information Security provides the CTO with periodic updates and also chairs the CSRC which provides a forum for senior management to discuss cyber risk management in greater detail.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We recognize the need to protect our data, systems and technology. We have described related risks in Item 1A under the heading “Risks Related to our Technology and Data.” We have previously assessed and periodically measure our security maturity using the US National Institute of Standards and Technology Cybersecurity Framework. (“NIST CSF”) supported by other internal and third-party assessments.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
We have implemented a governance program which facilitates senior management oversight of cybersecurity risk management. An operational risk group comprising senior SHCO Cyber Risk and third-party Cyber Risk professionals together with the IT Infrastructure lead meet monthly to review emerging risks, progress with mitigation of identified risk and prioritization of risk reduction activities. The output from this group is shared quarterly with the Cyber Security Risk Committee (“CSRC”) a Board
Sub-Committee which comprises the Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Technology Officer (CTO), Chief Legal Officer (CLO) and Director of Information Security. The CSRC is responsible for reviewing the top strategic cyber risks, progress against cyber maturity improvement and recommending funding and resource requirements. The CSRC reports twice per year to the Audit Committee. The CSRC is also the body that collectively assesses materiality in the event of a cybersecurity incident and meets as required for this purpose.
Management’s role and relevant experience in assessing and managing cybersecurity
The NIST CSF is used to assess cybersecurity maturity. An initial baseline assessment has been used to inform our Cybersecurity Strategy and periodic assessments are used to update the NIST CSF scoring. These assessments are carried out by an independent third party to provide appropriate objectivity and challenge. In addition, we are progressing towards certification to the international information security management standard - ISO27001 and the related standard ISO27701 for privacy information management. Execution of our cybersecurity strategy is overseen by our Director of Information Security who is a qualified CSIM, CISA and a Fellow of the UK Chartered Institute of Information Security and has over 30 years of experience in cyber security. The Director of Information Security provides the CTO with periodic updates and also chairs the CSRC which provides a forum for senior management to discuss cyber risk management in greater detail.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|We have implemented a governance program which facilitates senior management oversight of cybersecurity risk management.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|An operational risk group comprising senior SHCO Cyber Risk and third-party Cyber Risk professionals together with the IT Infrastructure lead meet monthly to review emerging risks, progress with mitigation of identified risk and prioritization of risk reduction activities.
|Cybersecurity Risk Role of Management [Text Block]
|The output from this group is shared quarterly with the Cyber Security Risk Committee (“CSRC”) a Board
Sub-Committee which comprises the Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Technology Officer (CTO), Chief Legal Officer (CLO) and Director of Information Security. The CSRC is responsible for reviewing the top strategic cyber risks, progress against cyber maturity improvement and recommending funding and resource requirements. The CSRC reports twice per year to the Audit Committee. The CSRC is also the body that collectively assesses materiality in the event of a cybersecurity incident and meets as required for this purpose.
Management’s role and relevant experience in assessing and managing cybersecurity
The NIST CSF is used to assess cybersecurity maturity. An initial baseline assessment has been used to inform our Cybersecurity Strategy and periodic assessments are used to update the NIST CSF scoring. These assessments are carried out by an independent third party to provide appropriate objectivity and challenge. In addition, we are progressing towards certification to the international information security management standard - ISO27001 and the related standard ISO27701 for privacy information management. Execution of our cybersecurity strategy is overseen by our Director of Information Security who is a qualified CSIM, CISA and a Fellow of the UK Chartered Institute of Information Security and has over 30 years of experience in cyber security. The Director of Information Security provides the CTO with periodic updates and also chairs the CSRC which provides a forum for senior management to discuss cyber risk management in greater detail.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The output from this group is shared quarterly with the Cyber Security Risk Committee (“CSRC”) a Board Sub-Committee which comprises the Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Technology Officer (CTO), Chief Legal Officer (CLO) and Director of Information Security.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CSRC is responsible for reviewing the top strategic cyber risks, progress against cyber maturity improvement and recommending funding and resource requirements. The CSRC reports twice per year to the Audit Committee. The CSRC is also the body that collectively assesses materiality in the event of a cybersecurity incident and meets as required for this purpose.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Management’s role and relevant experience in assessing and managing cybersecurity
The NIST CSF is used to assess cybersecurity maturity. An initial baseline assessment has been used to inform our Cybersecurity Strategy and periodic assessments are used to update the NIST CSF scoring. These assessments are carried out by an independent third party to provide appropriate objectivity and challenge. In addition, we are progressing towards certification to the international information security management standard - ISO27001 and the related standard ISO27701 for privacy information management. Execution of our cybersecurity strategy is overseen by our Director of Information Security who is a qualified CSIM, CISA and a Fellow of the UK Chartered Institute of Information Security and has over 30 years of experience in cyber security. The Director of Information Security provides the CTO with periodic updates and also chairs the CSRC which provides a forum for senior management to discuss cyber risk management in greater detail.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef