MIDDLEBY Corp 10-K Cybersecurity GRC - 2024-02-28

Page last updated on July 16, 2024

MIDDLEBY Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:41:19 EST.

Filings

10-K filed on 2024-02-28

MIDDLEBY Corp filed a 10-K at 2024-02-28 16:41:19 EST
Accession Number: 0000769520-24-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The company maintains a cybersecurity risk management program as part of its overall risk management framework and regularly assesses risks from cybersecurity threats, monitors its information systems for potential vulnerabilities and tests those systems pursuant to the company’s cybersecurity standards, processes, and practices. To protect the company’s information systems from cybersecurity threats, the company uses various security tools that help the company identify, escalate, investigate, resolve, and recover from security incidents in a timely manner. These efforts include but are not limited to, internal reporting, engaging third-party service providers to actively monitor information systems, performing vulnerability testing using external third-party tools and techniques to test security controls, conducting employee training, monitoring emerging trends and regulations related to information security, and implementing appropriate changes, as needed, to our cybersecurity risk management program. The company partners with third parties to assess the effectiveness of our cybersecurity prevention and response systems and processes. These assessments include penetration testing, vulnerability assessments, tabletop exercises, and reviews of incident response protocols that are designed to ensure robust protections against evolving threats. The company has processes that aim to validate security controls and engages third parties to design or assess security architecture, and certifications. This includes assessing the potential fourth-party risks related to employee, business, and customer data. During the third-party procurement and contracting process, the company incorporates contract provisions that are designed to align with applicable regulations and industry benchmarks. To date, the Company is not aware of cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to affect the Company, including its business strategy, results of operations or financial condition. Refer to the risk factor captioned “The Company may be subject to information technology system failures, network disruptions, cybersecurity attacks and breaches in data security, which may materially adversely affect the Company’s operations, financial condition and operating results” in Part I, Item 1A. “Risk Factors” for additional description of cybersecurity risks and potential related impacts on the Company. 22 Governance The company takes a risk-based approach to cybersecurity and has implemented cybersecurity policies throughout its operations that are designed to address cybersecurity threats and incidents. In particular, the company dedicates significant resources in an effort to secure its confidential information as well as the data and any personal information the Company receives and stores about its customers and employees. The company has systems in place designed to securely receive and store that information and to detect, contain, and respond to data security incidents. The company has a robust information security training and compliance program for all new and existing employees. Training is provided at least annually, with a formal communication cadence of additional components of training being provided throughout the year. Employee cybersecurity proficiency is assessed quarterly, with supplementary training programs tailored to individual needs based on these evaluations. The company has not experienced a material cybersecurity or information security breach in the last three years. The company maintains a program, run by the company’s Director of Information Technology, overseen by the company’s Chief Financial Officer, that is designed to protect and preserve the confidentiality, integrity and continued availability of all information owned by or in the care of the company. The company has implemented a cybersecurity incident response plan that provides controls and procedures to facilitate timely and accurate reporting of any material cybersecurity incident. The initial impact of each cybersecurity event is evaluated by a designated cybersecurity team using established risk criteria. If a cybersecurity event meets certain of these criteria, it is escalated to an internal cross-functional Cyber Incident Response Team and external incident responders. The company has a cyber incident disclosure committee that evaluates and considers whether public disclosure of an event is required. The plan also contains procedures for escalating cybersecurity incidents to the Board of Directors. The company’s Director of Global Information Technology is responsible for leading the assessment and management of cybersecurity risks. The current Director of Global Information Technology has over 10 years of experience in information security and holds CISSP and GIAC credentials. The Director of Global Information Technology reports to the Audit Committee and management on cybersecurity threats on a regular basis. Oversight responsibility for information security matters is shared by the Board (primarily through the Audit Committee) and senior management. The Audit Committee oversees the company’s cybersecurity and information security program and receives periodic updates from senior management on cybersecurity and information security matters. The Director of Global Information Technology or key members of the executive leadership team update the Audit Committee periodically on the cybersecurity landscape, including the status of ongoing threats and company initiatives. 23


Company Information

NameMIDDLEBY Corp
CIK0000769520
SIC DescriptionRefrigeration & Service Industry Machinery
TickerMIDD - Nasdaq
Website
CategoryLarge accelerated filer
Fiscal Year EndDecember 29