XML 22 R9.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management, Strategy and Governance
 12 Months Ended
Jan. 03, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy

We recognize the critical importance of cybersecurity and data privacy in safeguarding our operations, sensitive data, and maintaining the trust of our stakeholders. We acknowledge the significance of cybersecurity incidents and threats as potential risks that may impact our operations and information systems. We have developed and implemented cybersecurity and data privacy programs in accordance with the requirements of ISO standards 27001:2022 and 27701:2019, which are intended to appropriately preserve the confidentiality, integrity, and availability of information maintained by our company. These programs identify, select, maintain, operate, and improve cybersecurity and privacy controls.

We have implemented processes for assessing, identifying, and managing material risks from cybersecurity threats. These processes are designed to preserve the confidentiality, integrity, and availability of our information systems and the information residing therein. Our cybersecurity incident response plan is based on the NIST 800-61r2 “Computer Security Incident Handling Guide.” This plan is used to process security events identified through our real-time, 24x7 monitoring, and is also used to conduct security incident tabletop exercises. The incident response plan includes detailed steps for incident leadership, escalation to established partners, response protocols based on the type of incident, responsibilities for follow-up and reporting, and steps to capture lessons learned and improvement opportunities. Our vulnerability management processes include real-time monitoring for vulnerabilities and standardized reporting for managing remediation efforts. Our cybersecurity risk management processes are integrated into our overall risk management system to ensure alignment with our business objectives and strategies. We engage assessors, consultants, auditors and other third parties to execute certification audits, penetration tests, and security framework risk assessments. These external entities provide specialized expertise and insights to enhance the effectiveness of our cybersecurity risk management processes.

We have established processes to oversee and identify cybersecurity risks associated with our use of third-party service providers, including cloud service providers and AI system. We conduct due diligence assessments and evaluate contractual obligations to mitigate potential risks arising from third-party relationships.

Cybersecurity threats, including previous incidents, have the potential to materially affect our company, including our business strategy, results of operations, and financial condition. While we have not experienced material adverse effects from cybersecurity threats to date, we recognize the evolving nature of these risks and remain vigilant in our efforts to mitigate potential impacts.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Our cybersecurity risk management processes are integrated into our overall risk management system to ensure alignment with our business objectives and strategies.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

Cybersecurity threats, including previous incidents, have the potential to materially affect our company, including our business strategy, results of operations, and financial condition. While we have not experienced material adverse effects from cybersecurity threats to date, we recognize the evolving nature of these risks and remain vigilant in our efforts to mitigate potential impacts.
Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

Our Board of Directors provides oversight of risks from cybersecurity threats. The Security and Privacy Management Committee (the “SPMC”) consists of our Chief Financial Officer, General Counsel, Vice President of Information Technology, Chief Human Resources Officer, Director of Information Security and Director of Environmental Health and Safety. The SPMC is tasked with ensuring risks are adequately addressed within our governance framework.

We maintain a dedicated team of cybersecurity professionals. The Director of Information Security, the Information Security team, the SPMC, the Vice President of Information Technology, and the Information Technology leadership team are principally responsible for assessing and managing cybersecurity risks for our company. These individuals possess relevant expertise in cybersecurity risk management and are equipped to address the evolving nature of cyber threats. Our Director of Information Security has over 20 years of cybersecurity experience, holds several professional certifications and is an adjunct faculty member teaching courses on information security management and governance. Our cybersecurity professionals have a proven track record of executing strategic security objectives across various sectors, including utility, government, healthcare, and consulting. They bring with them experience in designing, implementing, and managing information security programs focused on quality, performance, and compliance.

Our information security team and our third-party security service providers actively monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents, ensuring timely response and resolution. Processes are in place to inform relevant management positions and committees about emerging threats and incident response

activities. The Director of Information Security provides regular updates on cybersecurity risks and incidents to the Board of Directors, the SPMC, and IT leadership.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our Board of Directors provides oversight of risks from cybersecurity threats. The Security and Privacy Management Committee (the “SPMC”) consists of our Chief Financial Officer, General Counsel, Vice President of Information Technology, Chief Human Resources Officer, Director of Information Security and Director of Environmental Health and Safety. The SPMC is tasked with ensuring risks are adequately addressed within our governance framework.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Processes are in place to inform relevant management positions and committees about emerging threats and incident response

activities. The Director of Information Security provides regular updates on cybersecurity risks and incidents to the Board of Directors, the SPMC, and IT leadership.
Cybersecurity Risk Role of Management [Text Block] We maintain a dedicated team of cybersecurity professionals. The Director of Information Security, the Information Security team, the SPMC, the Vice President of Information Technology, and the Information Technology leadership team are principally responsible for assessing and managing cybersecurity risks for our company. These individuals possess relevant expertise in cybersecurity risk management and are equipped to address the evolving nature of cyber threats.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The Director of Information Security, the Information Security team, the SPMC, the Vice President of Information Technology, and the Information Technology leadership team are principally responsible for assessing and managing cybersecurity risks for our company. These individuals possess relevant expertise in cybersecurity risk management and are equipped to address the evolving nature of cyber threats.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our Director of Information Security has over 20 years of cybersecurity experience
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Our information security team and our third-party security service providers actively monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents, ensuring timely response and resolution. Processes are in place to inform relevant management positions and committees about emerging threats and incident response

activities. The Director of Information Security provides regular updates on cybersecurity risks and incidents to the Board of Directors, the SPMC, and IT leadership.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true