Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 27, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | We are regularly subject to cyberattacks and other cyber incidents. In response, we have implemented cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage cybersecurity risks. Our enterprise risk management framework considers cybersecurity risk alongside other company risks as part of our overall risk assessment process. Our enterprise risk management team collaborates with our Cybersecurity function, led by the Company’s Chief Strategy and Transformation Officer and the Company’s Chief Information Security Officer, to gather insights for identifying, assessing and managing cybersecurity threat risks, their severity, and potential mitigations. We assess PepsiCo’s Cybersecurity program using an industry-leading cybersecurity framework from the National Institute of Standards and Technology. To help assess and identify our cybersecurity risks, we maintain internal resources to perform penetration testing designed to simulate evolving tactics and techniques of real-world threat actors, engage with industry partners and law enforcement and intelligence communities and conduct tabletop exercises and periodic risk interviews across our business. We also engage an independent third party to perform internal and external penetration testing of PepsiCo’s environment periodically and engage other third parties to periodically conduct assessments of our cybersecurity capabilities. In addition, we continue to expand training and awareness practices to mitigate human risk, including mandatory computer-based training, internal communications, and regular phishing awareness campaigns that are designed to emulate real-world contemporary threats and provide immediate feedback (and, if necessary, additional training or remedial action) to employees. Our processes also address cybersecurity risks associated with our use of third-party service providers including suppliers, software and cloud-based service providers. We proactively evaluate the cybersecurity risk of a third party by utilizing a repository of risk assessments, external monitoring sources, threat intelligence and predictive analytics to better inform PepsiCo during contracting and vendor selection processes. Additionally, we require those third parties to agree by contract to implement appropriate security controls. Security issues are documented and tracked and periodic monitoring is conducted for third parties in order to mitigate risk. In addition to the processes, technologies, and controls that we have in place to reduce the likelihood of a successful material cyberattack, the Company has established well-defined response procedures to address cyber events that do occur. The program provides for the coordination of various corporate functions and governance groups and serves as a framework for the execution of responsibilities across businesses and operational roles. Our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to assess for potential disclosure, comply with potentially applicable legal obligations and mitigate brand and reputational damage. We also maintain insurance coverage that, subject to its terms and conditions, is intended to address costs associated with certain aspects of cyber incidents and information systems failures.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | We are regularly subject to cyberattacks and other cyber incidents. In response, we have implemented cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage cybersecurity risks. Our enterprise risk management framework considers cybersecurity risk alongside other company risks as part of our overall risk assessment process. |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Given that cybersecurity risks can impact various areas of responsibility of the Committees of the Board, the Board believes it is useful and effective for the full Board to maintain direct oversight over cybersecurity matters. In 2021, the Board amended our Corporate Governance Guidelines to specifically mention cybersecurity as an area of Board oversight to reflect this existing practice. |
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Board receives and provides feedback on regular updates from management, including from the Company’s Chief Strategy and Transformation Officer and the Company’s Chief Information Security Officer, regarding cybersecurity governance processes, the status of projects to strengthen internal cybersecurity, results from third-party assessments, and also discusses any significant cyber incidents, including recent incidents at other companies and the emerging threat landscape. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Board receives and provides feedback on regular updates from management, including from the Company’s Chief Strategy and Transformation Officer and the Company’s Chief Information Security Officer, regarding cybersecurity governance processes, the status of projects to strengthen internal cybersecurity, results from third-party assessments, and also discusses any significant cyber incidents, including recent incidents at other companies and the emerging threat landscape. |
| Cybersecurity Risk Role of Management [Text Block] | Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by the Company’s Chief Strategy and Transformation Officer and the Company’s Chief Information Security Officer. Such individuals have significant prior work experience in various roles across multiple industries involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and managing compliance environments. These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by the Company’s Chief Strategy and Transformation Officer and the Company’s Chief Information Security Officer. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Such individuals have significant prior work experience in various roles across multiple industries involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and managing compliance environments. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |