|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 29, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
We have processes in place for assessing, identifying, and managing material risks from unauthorized occurrences on or through our electronic information systems that could adversely affect the confidentiality, integrity, or availability of our information systems or the information residing on those systems. These include a wide variety of mechanisms, controls, technologies, methods, systems, and other processes that are designed to prevent, detect, or mitigate data loss, theft, misuse, unauthorized access, or other security incidents or vulnerabilities. In addition, we engage with independent third-party partners, including cybersecurity assessors, consultants, and auditors, to assess and consult on our cybersecurity capabilities, prioritize areas of risk, and assist with execution of our risk management and strategic plans. Our collaboration with these third parties includes audits, threat assessments, and consultation on security enhancements. In an effort to mitigate data or security incidents that may originate from third-party suppliers, we also identify, prioritize, assess, and address third-party risks; however, we rely on the third parties we use to implement security programs commensurate with their risk, and we cannot ensure that their efforts will be successful.
As part of our risk management process, we conduct application security assessments, vulnerability management, penetration testing, security audits, and risk assessments. We provide cybersecurity awareness training to employees with access to information systems, including corporate employees. We also maintain an incident response plan. Our incident response plan outlines the process for our coordination with our third-party cybersecurity providers to respond to and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with applicable legal obligations and mitigate brand and reputational damage. In addition, our incident response plan includes actions designed to enhance processes and responsiveness to address future incidents. We continue to strengthen our systems, cybersecurity training, policies, programs, response plan, and other similar measures.
As previously disclosed in the Company’s Current Report on Form 8-K filed with the SEC on December 11, 2024, during the fourth quarter of fiscal 2024, unauthorized activity on a portion of our information technology systems resulted in the Company experiencing certain operational disruptions, including with online ordering in parts of the U.S. (the “2024 Cybersecurity Incident”). Our online ordering, retail shops, and core business functions are now fully operational. The incident materially affected the Company’s business operations and is reasonably likely to materially impact the Company’s results of operations and financial condition. In the fourth quarter of fiscal 2024, we incurred approximately $3 million of remediation expenses related to the 2024 Cybersecurity Incident. In addition, we estimate that we lost revenue within our U.S. segment in an amount of $11 million related to the incident with a corresponding estimated $10 million impact on Adjusted EBITDA (includes margin on the aforementioned lost revenues, as well as operational inefficiencies). We expect to continue to incur costs in fiscal 2025 related to the incident, including operational inefficiencies early in the first quarter and costs related to fees for our cybersecurity experts and other advisors. The Company holds cybersecurity insurance that is expected to offset a portion of the losses and costs from the incident. As of the date of this report, except as set forth herein, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, our business strategy, results of operations, or financial condition. For more information regarding cybersecurity risks that have and may in the future materially affect us, see “Risk Factors—Risks Related to Cybersecurity, Data Privacy, and Information Technology” included in Item 1A of Part I of this Annual Report on Form 10-K.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We have processes in place for assessing, identifying, and managing material risks from unauthorized occurrences on or through our electronic information systems that could adversely affect the confidentiality, integrity, or availability of our information systems or the information residing on those systems. These include a wide variety of mechanisms, controls, technologies, methods, systems, and other processes that are designed to prevent, detect, or mitigate data loss, theft, misuse, unauthorized access, or other security incidents or vulnerabilities.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Audit and Finance Committee (“Audit Committee”) of the Board of Directors oversees our annual enterprise risk assessment, where we assess key risks within the Company, including security and technology risks and cybersecurity threats. The Audit Committee also oversees our cybersecurity risk and receives reports from our CIO on various cybersecurity matters, mitigation measures, and the status of our information security priorities. In addition, the Audit Committee reports to the Board of Directors on any significant cybersecurity incidents, such as the 2024 Cybersecurity Incident.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit and Finance Committee (“Audit Committee”) of the Board of Directors oversees our annual enterprise risk assessment, where we assess key risks within the Company, including security and technology risks and cybersecurity threats. The Audit Committee also oversees our cybersecurity risk and receives reports from our CIO on various cybersecurity matters, mitigation measures, and the status of our information security priorities. In addition, the Audit Committee reports to the Board of Directors on any significant cybersecurity incidents, such as the 2024 Cybersecurity Incident.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit and Finance Committee (“Audit Committee”) of the Board of Directors oversees our annual enterprise risk assessment, where we assess key risks within the Company, including security and technology risks and cybersecurity threats. The Audit Committee also oversees our cybersecurity risk and receives reports from our CIO on various cybersecurity matters, mitigation measures, and the status of our information security priorities. In addition, the Audit Committee reports to the Board of Directors on any significant cybersecurity incidents, such as the 2024 Cybersecurity Incident.
|Cybersecurity Risk Role of Management [Text Block]
|Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels, and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. The Audit and Finance Committee (“Audit Committee”) of the Board of Directors oversees our annual enterprise risk assessment, where we assess key risks within the Company, including security and technology risks and cybersecurity threats. The Audit Committee also oversees our cybersecurity risk and receives reports from our CIO on various cybersecurity matters, mitigation measures, and the status of our information security priorities. In addition, the Audit Committee reports to the Board of Directors on any significant cybersecurity incidents, such as the 2024 Cybersecurity Incident.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Our Chief Information Officer (“CIO”) leads our global information security organization responsible for overseeing the Company’s information security program. Our Chief Information Security Officer (“CISO”) is primarily responsible for identifying, assessing, monitoring, and managing cybersecurity threats to our overall enterprise. Our CIO has over 25 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies. Our CISO, who reports directly to the CIO, has over 30 years of information technology infrastructure and security experience, including developing and leading cybersecurity risk management programs for a variety of companies. Additionally, the team supporting the CISO has relevant educational and professional information technology security experience, including holding similar positions at other large companies. The CISO receives information regarding cybersecurity incidents and threats primarily from our third-party cybersecurity providers. The CISO then provides periodic reports to the CIO, including reporting on significant cybersecurity incidents, strategy, results of employee trainings, and any other notable cybersecurity matters.
Cybersecurity risk is among the top risks that the Company actively monitors. Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels, and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. The Audit and Finance Committee (“Audit Committee”) of the Board of Directors oversees our annual enterprise risk assessment, where we assess key risks within the Company, including security and technology risks and cybersecurity threats. The Audit Committee also oversees our cybersecurity risk and receives reports from our CIO on various cybersecurity matters, mitigation measures, and the status of our information security priorities. In addition, the Audit Committee reports to the Board of Directors on any significant cybersecurity incidents, such as the 2024 Cybersecurity Incident.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CIO has over 25 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies. Our CISO, who reports directly to the CIO, has over 30 years of information technology infrastructure and security experience, including developing and leading cybersecurity risk management programs for a variety of companies. Additionally, the team supporting the CISO has relevant educational and professional information technology security experience, including holding similar positions at other large companies.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The CISO receives information regarding cybersecurity incidents and threats primarily from our third-party cybersecurity providers. The CISO then provides periodic reports to the CIO, including reporting on significant cybersecurity incidents, strategy, results of employee trainings, and any other notable cybersecurity matters.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef