XML 45 R27.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 28, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Cybersecurity is among the most critical risks to the Company. For many activities important to its business, the Company depends on the confidentiality, integrity, and availability of information systems and data, some of which are provided or managed by third parties.

The Company’s Information Security and Privacy teams reduce first and third-party risk by maintaining a proactive security posture aligned with current threats, detecting cybersecurity events and responding quickly, and building procedures to rapidly recover.

Internal and third-party risks are reviewed, monitored, and managed by the Company’s Cybersecurity and Privacy teams, audited by an Internal Audit team and various external experts, and tracked within an Enterprise Risk Management framework. The Company regularly engages third-party experts to assess the effectiveness of its cybersecurity programs. Biennially, an external independent consultancy team conducts a comprehensive review of the Company’s cybersecurity program using the NIST Cybersecurity Framework. Targeted assessments are conducted regularly by internal and third-party experts to ensure compliance with specific federal and state laws and regulations. Additionally, the Company is assessed annually by an independent third party for compliance with the PCI-DSS standard, for which the Company receives an attestation of compliance.

The Company’s processes for identifying and managing first and third-party risks from cybersecurity threats include:

Continuous monitoring of the Company’s systems and network for cybersecurity events;
Regular testing of the Company’s Security Incident Response Plan, Business Continuity plans, and Disaster Recovery plans;
Required annual security training for team members with access to Company email, as well as tailored training for team members in more sensitive roles (and periodic testing to ensure the security training is effective).
The Company’s security awareness program seeks to create a culture of shared responsibility for the security of sensitive data and systems. This is accomplished through mandatory annual security training for team members with access to Company email as well as tailored training for team members in more sensitive roles. Periodic testing ensures the training is effective. In addition, all team members have access to a variety of training materials on security topics through the Company’s training management system.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
The Company’s Information Security and Privacy teams reduce first and third-party risk by maintaining a proactive security posture aligned with current threats, detecting cybersecurity events and responding quickly, and building procedures to rapidly recover.

Internal and third-party risks are reviewed, monitored, and managed by the Company’s Cybersecurity and Privacy teams, audited by an Internal Audit team and various external experts, and tracked within an Enterprise Risk Management framework. The Company regularly engages third-party experts to assess the effectiveness of its cybersecurity programs. Biennially, an external independent consultancy team conducts a comprehensive review of the Company’s cybersecurity program using the NIST Cybersecurity Framework. Targeted assessments are conducted regularly by internal and third-party experts to ensure compliance with specific federal and state laws and regulations. Additionally, the Company is assessed annually by an independent third party for compliance with the PCI-DSS standard, for which the Company receives an attestation of compliance.

The Company’s processes for identifying and managing first and third-party risks from cybersecurity threats include:

Continuous monitoring of the Company’s systems and network for cybersecurity events;
Regular testing of the Company’s Security Incident Response Plan, Business Continuity plans, and Disaster Recovery plans;
Required annual security training for team members with access to Company email, as well as tailored training for team members in more sensitive roles (and periodic testing to ensure the security training is effective).
The Company’s security awareness program seeks to create a culture of shared responsibility for the security of sensitive data and systems. This is accomplished through mandatory annual security training for team members with access to Company email as well as tailored training for team members in more sensitive roles. Periodic testing ensures the training is effective. In addition, all team members have access to a variety of training materials on security topics through the Company’s training management system.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
On behalf of the Board, the Audit Committee provides oversight of the Company’s management of cybersecurity risk. The Audit Committee regularly reviews the Company’s cybersecurity risks, incidents, audits, assessments, crisis readiness, awareness activities, and compliance with cybersecurity and privacy laws and regulations. The Company’s Vice President, Information Security and Privacy, briefs the Audit Committee quarterly, and more often, if necessary, on active and emerging cybersecurity threats and efforts to strengthen the Company’s defenses against these threats.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
On behalf of the Board, the Audit Committee provides oversight of the Company’s management of cybersecurity risk. The Audit Committee regularly reviews the Company’s cybersecurity risks, incidents, audits, assessments, crisis readiness, awareness activities, and compliance with cybersecurity and privacy laws and regulations. The Company’s Vice President, Information Security and Privacy, briefs the Audit Committee quarterly, and more often, if necessary, on active and emerging cybersecurity threats and efforts to strengthen the Company’s defenses against these threats.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
On behalf of the Board, the Audit Committee provides oversight of the Company’s management of cybersecurity risk. The Audit Committee regularly reviews the Company’s cybersecurity risks, incidents, audits, assessments, crisis readiness, awareness activities, and compliance with cybersecurity and privacy laws and regulations. The Company’s Vice President, Information Security and Privacy, briefs the Audit Committee quarterly, and more often, if necessary, on active and emerging cybersecurity threats and efforts to strengthen the Company’s defenses against these threats.
Cybersecurity Risk Role of Management [Text Block]
On behalf of the Board, the Audit Committee provides oversight of the Company’s management of cybersecurity risk. The Audit Committee regularly reviews the Company’s cybersecurity risks, incidents, audits, assessments, crisis readiness, awareness activities, and compliance with cybersecurity and privacy laws and regulations. The Company’s Vice President, Information Security and Privacy, briefs the Audit Committee quarterly, and more often, if necessary, on active and emerging cybersecurity threats and efforts to strengthen the Company’s defenses against these threats.

The Company’s Information Security and Privacy program and teams are managed by the Vice President, Information Security and Privacy, who reports to the Executive Vice President, Chief Technology, Digital Commerce, and Strategy Officer. The Company’s cybersecurity leaders have more than 25 years of relevant experience and multiple professional certifications.
An external managed security services provider and industry-leading security tools continuously monitor the Company’s systems and network for cybersecurity threats. The Company’s cybersecurity teams evaluate the escalated threats, and if necessary, take steps to contain and recover from pervasive threats in accordance with the Company’s Security Incident Response Plan. The plan includes reporting and escalation procedures to inform the Executive Committee, Audit Committee, and full Board, as appropriate to enable them to carry out their oversight responsibilities, and to ensure timely compliance with applicable reporting rules. The Company’s Business Continuity Management and Disaster Recovery plans include procedures for business recovery and are tested regularly.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
On behalf of the Board, the Audit Committee provides oversight of the Company’s management of cybersecurity risk. The Audit Committee regularly reviews the Company’s cybersecurity risks, incidents, audits, assessments, crisis readiness, awareness activities, and compliance with cybersecurity and privacy laws and regulations. The Company’s Vice President, Information Security and Privacy, briefs the Audit Committee quarterly, and more often, if necessary, on active and emerging cybersecurity threats and efforts to strengthen the Company’s defenses against these threats.

The Company’s Information Security and Privacy program and teams are managed by the Vice President, Information Security and Privacy, who reports to the Executive Vice President, Chief Technology, Digital Commerce, and Strategy Officer. The Company’s cybersecurity leaders have more than 25 years of relevant experience and multiple professional certifications.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
The Company’s Information Security and Privacy program and teams are managed by the Vice President, Information Security and Privacy, who reports to the Executive Vice President, Chief Technology, Digital Commerce, and Strategy Officer. The Company’s cybersecurity leaders have more than 25 years of relevant experience and multiple professional certifications.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] An external managed security services provider and industry-leading security tools continuously monitor the Company’s systems and network for cybersecurity threats. The Company’s cybersecurity teams evaluate the escalated threats, and if necessary, take steps to contain and recover from pervasive threats in accordance with the Company’s Security Incident Response Plan. The plan includes reporting and escalation procedures to inform the Executive Committee, Audit Committee, and full Board, as appropriate to enable them to carry out their oversight responsibilities, and to ensure timely compliance with applicable reporting rules. The Company’s Business Continuity Management and Disaster Recovery plans include procedures for business recovery and are tested regularly.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true