XML 63 R38.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 29, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Our Cyber Oversight Group utilizes the IRP to: (1) prepare for and protect against cybersecurity incidents; (2) identify and analyze cybersecurity incidents; and (3) contain, eradicate, and help ensure appropriate reporting of cybersecurity events in accordance with our regulatory obligations. In the event of a cybersecurity incident, the IRP provides a framework to coordinate the response. The IRP also addresses escalation protocols to senior management responsibility with respect to disclosure determinations and provides for Audit Committee and Board briefings as appropriate. We also manage threats to our systems originating or associated with third party service providers by integrating cybersecurity requirements and other related obligations into various contracts. We also utilize vendor intake evaluations, ongoing cyber risk monitoring of our critical technology vendors, and and other risk management strategies to evaluate and help mitigate risk associated with our third party service providers. Vulnerabilities and risks identified for our third-party vendors are handled through ongoing scanning and reviews.
We employ a variety of measures to prepare for and protect against, detect, and contain and eradicate cybersecurity incidents and threats. The preparatory and protective measures we have in place include, without limitation, password protection, multi-factor authentication, internal and external penetration testing, maturity assessments, industry benchmarking, and annual cybersecurity awareness trainings for our employees as well as social engineering awareness simulations. The security operations program includes an outsourced managed security detection and response service, augmenting the internal security staff with additional third-party dedicated staff and an expert security advisor. Our IRP sets forth the process we follow to investigate a potential or confirmed cybersecurity incident and contain it as well as to assess disclosure obligations and address remediation, eradication, and recovery, with such efforts dependent upon on the nature of the cybersecurity incident. We have relationships with a number of well-established third-party service providers to assist with cybersecurity incident response, containment and remediation efforts. We also maintain cybersecurity insurance providing coverage for certain costs related to cybersecurity incidents that impact our own systems, networks, and technology. While we maintain a robust cybersecurity program, the techniques used to attack or impact information technology systems continue to evolve. Accordingly, we may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, see “Item 1A—Risk Factors.”
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
Our Cyber Oversight Group utilizes the IRP to: (1) prepare for and protect against cybersecurity incidents; (2) identify and analyze cybersecurity incidents; and (3) contain, eradicate, and help ensure appropriate reporting of cybersecurity events in accordance with our regulatory obligations. In the event of a cybersecurity incident, the IRP provides a framework to coordinate the response. The IRP also addresses escalation protocols to senior management responsibility with respect to disclosure determinations and provides for Audit Committee and Board briefings as appropriate. We also manage threats to our systems originating or associated with third party service providers by integrating cybersecurity requirements and other related obligations into various contracts. We also utilize vendor intake evaluations, ongoing cyber risk monitoring of our critical technology vendors, and and other risk management strategies to evaluate and help mitigate risk associated with our third party service providers. Vulnerabilities and risks identified for our third-party vendors are handled through ongoing scanning and reviews.
We employ a variety of measures to prepare for and protect against, detect, and contain and eradicate cybersecurity incidents and threats. The preparatory and protective measures we have in place include, without limitation, password protection, multi-factor authentication, internal and external penetration testing, maturity assessments, industry benchmarking, and annual cybersecurity awareness trainings for our employees as well as social engineering awareness simulations. The security operations program includes an outsourced managed security detection and response service, augmenting the internal security staff with additional third-party dedicated staff and an expert security advisor. Our IRP sets forth the process we follow to investigate a potential or confirmed cybersecurity incident and contain it as well as to assess disclosure obligations and address remediation, eradication, and recovery, with such efforts dependent upon on the nature of the cybersecurity incident. We have relationships with a number of well-established third-party service providers to assist with cybersecurity incident response, containment and remediation efforts. We also maintain cybersecurity insurance providing coverage for certain costs related to cybersecurity incidents that impact our own systems, networks, and technology. While we maintain a robust cybersecurity program, the techniques used to attack or impact information technology systems continue to evolve. Accordingly, we may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, see “Item 1A—Risk Factors.”
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] The Audit Committee and the Board consider cybersecurity part of the Company’s overall enterprise risk management (“ERM”) function, which the Audit Committee oversees.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee provides oversight of our cybersecurity program, which includes annual and periodic reviews of our cybersecurity program and cybersecurity risks.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] As part of its oversight responsibility, and pursuant to its charter, the Audit Committee reviews with management and reports to the full Board with respect to significant cybersecurity matters and risks and management’s actions to monitor and address identified issues. The Internal Audit team also meets periodically with the VP, Information Security and Compliance officer along with key IT leadership to discuss open cyber or data security risks. This effort is to help ensure items of risk are addressed and resolved in a timely manner. The Audit Committee receives updates from the Company’s recently appointed Chief Digital and Technology Officer (“CDTO”), VP, Information Security and Compliance, and/or members of our executive leadership team. Management also reports to the full Board at least annually regarding a comprehensive overview and status of the Company’s information security program.
Cybersecurity Risk Role of Management [Text Block]
The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by our Cyber Oversight Group, led by our CDTO and VP, Information Security and Compliance. Our CDTO has decades of experience as Chief Technology Officer with multiple companies, and significant expertise in enterprise architecture, engineering, analytics and digital technology. In addition, our VP, Information Security and Compliance has over 20 years of experience as a Chief Information Security Officer in multiple industries and has received Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Control (CRISC) certifications. Our CDTO and VP, Information Security and Compliance are responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, and response to cybersecurity threats and
incidents and are regularly engaged to help ensure the cybersecurity program functions effectively in the face of evolving cybersecurity threats.
Members of our Cyber Oversight Group also include our Chief Executive Officer, Chief Financial Officer, Chief Legal and Risk Officer, Senior Director of Internal Audit, VP of International Technology, and technology and data privacy in-house counsel. The Cyber Oversight Group is also tasked with reporting to the Audit Committee on cybersecurity risk management strategies, as well as any significant cybersecurity incidents that may occur. In addition, the Cyber Oversight Group meets at least four times per year, or with greater frequency as necessary, to, without limitation:
review with management the Company’s cybersecurity threat landscape, risks, and data security programs, and the Company’s management and mitigation of cybersecurity risks and incidents;
review with management the Company’s compliance with applicable information security and data protection laws and industry standards;
discuss with management the Company’s cybersecurity, technology and information systems policies as to risk assessment and risk management, including the guidelines and policies established by the Company to assess, monitor, and mitigate the Company’s significant cybersecurity, technology and information systems related risk exposures; and
review and provide oversight on the Company’s crisis preparedness with respect to cybersecurity, technology and information systems, including cybersecurity incident response preparedness, communication plans, and disaster recovery capabilities.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by our Cyber Oversight Group, led by our CDTO and VP, Information Security and Compliance.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our CDTO has decades of experience as Chief Technology Officer with multiple companies, and significant expertise in enterprise architecture, engineering, analytics and digital technology. In addition, our VP, Information Security and Compliance has over 20 years of experience as a Chief Information Security Officer in multiple industries and has received Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Control (CRISC) certifications.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
Members of our Cyber Oversight Group also include our Chief Executive Officer, Chief Financial Officer, Chief Legal and Risk Officer, Senior Director of Internal Audit, VP of International Technology, and technology and data privacy in-house counsel. The Cyber Oversight Group is also tasked with reporting to the Audit Committee on cybersecurity risk management strategies, as well as any significant cybersecurity incidents that may occur. In addition, the Cyber Oversight Group meets at least four times per year, or with greater frequency as necessary, to, without limitation:
review with management the Company’s cybersecurity threat landscape, risks, and data security programs, and the Company’s management and mitigation of cybersecurity risks and incidents;
review with management the Company’s compliance with applicable information security and data protection laws and industry standards;
discuss with management the Company’s cybersecurity, technology and information systems policies as to risk assessment and risk management, including the guidelines and policies established by the Company to assess, monitor, and mitigate the Company’s significant cybersecurity, technology and information systems related risk exposures; and
review and provide oversight on the Company’s crisis preparedness with respect to cybersecurity, technology and information systems, including cybersecurity incident response preparedness, communication plans, and disaster recovery capabilities.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true