|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 28, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management Program Components, Training, and Incident Response.
As part of our cybersecurity risk management program, our incident response team tracks and logs cybersecurity and data privacy incidents across the Company to identify, assess, mitigate, remediate, and resolve any such incidents. Prior to forming a contractual relationship with a material vendor or third-party service provider that will have access to our information systems or data, we perform due diligence on their cybersecurity and data privacy posture. We conduct annual reviews and tests of our information security program and we periodically review and update our cybersecurity policies. We also periodically utilize qualified third parties to evaluate and assess our cybersecurity risk management program, including through conducting cybersecurity maturity assessments. We utilize cybersecurity user awareness trainings with our employees, cybersecurity insurance, business continuity mechanisms, tabletop exercises, penetration testing, and vulnerability scanning to evaluate the effectiveness of our information security program and improve our security measures and planning. The material results of these assessments are reported to our executive leadership team and the Governance, Risk and Nominating Committee of the Company’s Board of Directors (the “Board”).
We have adopted a cybersecurity and data privacy incident response plan that provides a framework for identifying, classifying, documenting, and responding to cybersecurity and data privacy incidents and determining whether reporting of an incident is appropriate or required under regulatory standards. The plan also includes a materiality assessment framework to assist us in determining whether a security incident is “material” under the federal securities laws. A cross-functional working group reviews significant cybersecurity incidents under this framework to assess the incident and, among other things, determine whether further assessment and escalation of the incident within USANA is appropriate. Any incident assessed as being or potentially becoming material is immediately escalated to designated members of our executive leadership team. We consult with outside cybersecurity and data privacy consultants and legal
counsel as appropriate, including on cyber incident significance and/or materiality analysis and disclosure matters, and designated members of our management team make the final materiality determinations and disclosure and other compliance decisions. Our management apprises the Governance Risk and Nominating Committee and, where necessary, our independent registered public accounting firm, of cybersecurity matters and relevant developments, as appropriate.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We have implemented and maintain a cybersecurity risk management program, which consists of, among other things, comprehensive processes to identify, assess, manage, and mitigate material cybersecurity threats as part of our broader enterprise risk management program. We utilize an internal team of cybersecurity professionals and data privacy professionals to oversee this program. Where appropriate, we obtain input from external experts on our program, including with respect to prevailing cybersecurity practices and the latest cyber threat trends.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Our Board is actively involved in the assessment, oversight and management of the material risks that could affect the Company. The Board carries out its risk oversight and management responsibilities by monitoring risk directly as a full Board and, where appropriate, through its committees. The Board has delegated to the Governance, Risk and Nominating Committee the ultimate oversight responsibility for risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, cooperation with law enforcement, and related effects on financial and other risks, and it reports any findings and recommendations, as appropriate, to the full Board for consideration. Our cybersecurity and data privacy professionals regularly discuss cyber risks and trends and, should they arise, any material incidents with management and the Governance, Risk and Nominating Committee.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board has delegated to the Governance, Risk and Nominating Committee the ultimate oversight responsibility for risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, cooperation with law enforcement, and related effects on financial and other risks, and it reports any findings and recommendations, as appropriate, to the full Board for consideration. Our cybersecurity and data privacy professionals regularly discuss cyber risks and trends and, should they arise, any material incidents with management and the Governance, Risk and Nominating Committee.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board has delegated to the Governance, Risk and Nominating Committee the ultimate oversight responsibility for risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, cooperation with law enforcement, and related effects on financial and other risks, and it reports any findings and recommendations, as appropriate, to the full Board for consideration. Our cybersecurity and data privacy professionals regularly discuss cyber risks and trends and, should they arise, any material incidents with management and the Governance, Risk and Nominating Committee.
|Cybersecurity Risk Role of Management [Text Block]
|
Our internal team of cybersecurity and data privacy professionals oversee, among other things, our cybersecurity risk management and mitigation, incident prevention, detection, and remediation. The leadership of these teams is comprised of various professionals with cybersecurity expertise, including our Executive Vice President of Information Security and Disaster Recovery, who reports to our Chief Operating Officer. Our Executive Vice President of Information Security and Disaster Recovery has a bachelor’s degree in computer information systems, multiple university certifications in advanced cybersecurity, and over 30 years’ experience in cybersecurity and technology roles at various companies. Our executive leadership team, with input from the above teams, is responsible for our overall enterprise risk management system and associated processes, and regularly considers cybersecurity risks in the context of other material risks to the Company.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Our internal team of cybersecurity and data privacy professionals oversee, among other things, our cybersecurity risk management and mitigation, incident prevention, detection, and remediation. The leadership of these teams is comprised of various professionals with cybersecurity expertise, including our Executive Vice President of Information Security and Disaster Recovery, who reports to our Chief Operating Officer. Our Executive Vice President of Information Security and Disaster Recovery has a bachelor’s degree in computer information systems, multiple university certifications in advanced cybersecurity, and over 30 years’ experience in cybersecurity and technology roles at various companies. Our executive leadership team, with input from the above teams, is responsible for our overall enterprise risk management system and associated processes, and regularly considers cybersecurity risks in the context of other material risks to the Company.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The leadership of these teams is comprised of various professionals with cybersecurity expertise, including our Executive Vice President of Information Security and Disaster Recovery, who reports to our Chief Operating Officer. Our Executive Vice President of Information Security and Disaster Recovery has a bachelor’s degree in computer information systems, multiple university certifications in advanced cybersecurity, and over 30 years’ experience in cybersecurity and technology roles at various companies.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
We have adopted a cybersecurity and data privacy incident response plan that provides a framework for identifying, classifying, documenting, and responding to cybersecurity and data privacy incidents and determining whether reporting of an incident is appropriate or required under regulatory standards. The plan also includes a materiality assessment framework to assist us in determining whether a security incident is “material” under the federal securities laws. A cross-functional working group reviews significant cybersecurity incidents under this framework to assess the incident and, among other things, determine whether further assessment and escalation of the incident within USANA is appropriate. Any incident assessed as being or potentially becoming material is immediately escalated to designated members of our executive leadership team. We consult with outside cybersecurity and data privacy consultants and legal
counsel as appropriate, including on cyber incident significance and/or materiality analysis and disclosure matters, and designated members of our management team make the final materiality determinations and disclosure and other compliance decisions. Our management apprises the Governance Risk and Nominating Committee and, where necessary, our independent registered public accounting firm, of cybersecurity matters and relevant developments, as appropriate.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef