PYXUS INTERNATIONAL, INC. 10-K Cybersecurity GRC - 2024-06-06

Page last updated on July 16, 2024

PYXUS INTERNATIONAL, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-06 06:59:55 EDT.

Filings

10-K filed on 2024-06-06

PYXUS INTERNATIONAL, INC. filed a 10-K at 2024-06-06 06:59:55 EDT
Accession Number: 0000939930-24-000081

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company recognizes the importance of maintaining cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. Our information security framework leverages information and guidance from external sources and is managed by an internal team, led by the Cybersecurity Manager. This team provides updates on the overall effectiveness of the cybersecurity framework, including information on cyber threats and incidents, to the Information Services leadership team consisting of the Executive Vice President (“EVP”) - Global Business & Information Services, Vice President (“VP”) Information Services, and Senior Director of Information Technology Operations and Governance. We take a multi-layered, risk-based approach to our security controls to prevent, detect, and respond to cybersecurity threats. Our capabilities, processes, and security measures include, and are not limited to: - reactive endpoint protection to detect and prevent virus and malware threats; - network perimeter firewalls, including malware prevention; - e-mail scanning to prevent spam and phishing campaigns; - vulnerability scanning and remediation of vulnerabilities based on priority; - logical access controls, including multi-factor authentication; - incident response procedures; and - disaster recovery protocols. The Company educates its workforce as part of our security awareness program to understand the risks and potential impacts cybersecurity threats pose to our business, and ways employees can remain vigilant to prevent cybersecurity incidents from occurring. The program includes annual employee acknowledgement of security related policies, ongoing communication about prevalent vulnerabilities, security awareness training, and simulated phishing campaigns. We maintain strategic partnerships with third-party service providers to enhance our security measures and improve resilience against cybersecurity threats. Annual penetration tests are conducted by a third party to evaluate existing security measures and identify improvements. Additionally, the Company engages a managed detection and response service to monitor our information systems environment, identify suspicious activity, and perform actions to prevent or stop attacks. The Company maintains a cybersecurity insurance policy that provides coverage for potential losses arising from a cybersecurity incident. Although we maintain cybersecurity insurance, there can be no guarantee that our policy will cover all losses or all types of claims that may arise from such incidents. Governance Our processes for assessing, identifying, and managing material risks from cybersecurity are included in our Enterprise Risk Management (“ERM”) program. Oversight of the Company’s ERM program resides with the Audit Committee and our Board of Directors. The Audit Committee regularly reviews the results from the Company’s ERM program with management. The 17 Company’s Board of Directors receive updates from the EVP - Global Business & Information Services regarding cybersecurity framework developments and information that may impact the Company’s cybersecurity posture. The Company’s EVP - Global Business & Information Services reports to the Chief Executive Officer and has 35 years of experience leading information technology functions, which includes information security and incident management prevention and response. Under the direction of the EVP - Global Business & Information Services and the Chief Executive Officer, the internal team within the Company’s Information Services department analyzes cybersecurity risks, considers industry trends, and implements controls, as appropriate, to mitigate these risks. Impact of Cybersecurity Risks and Threats As of the date of this Annual Report on Form 10-K, we are not aware of cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, there can be no assurance that a material cybersecurity incident will not occur in the future. Additional information on cybersecurity risks are discussed in " Item 1A. Risk Factors ," which should be read in conjunction with the foregoing information.

Company Information