Seneca Foods Corp 10-K Cybersecurity GRC - 2024-06-13

Page last updated on July 16, 2024

Seneca Foods Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-13 16:14:03 EDT.

Filings

10-K filed on 2024-06-13

Seneca Foods Corp filed a 10-K at 2024-06-13 16:14:03 EDT
Accession Number: 0001437749-24-020198

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company’s cybersecurity risk management program is integrated with its overall enterprise risk management program and shares common methodologies, reporting channels and governance processes that apply across functions to other legal, compliance, strategic, operational, and financial risk areas. The Company designs and assesses the cybersecurity risk management program based on the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”). The Company uses the NIST CSF as a guide to help identify, assess, and manage cybersecurity risks relevant to its business; this does not imply that the Company’s cybersecurity program meets any particular technical standards, specifications, or requirements. The cybersecurity risk management program is grounded in a zero-trust framework and employs a multi-layered approach, including: ● Awareness and training for employees, involving phishing campaigns, informational sessions at management meetings, and annual mandatory training with simulations of common cybersecurity threats; ● Security tools and technologies, along with control policies and active review procedures which strengthen authentication and access protection; ● Third-party risk management process and monitoring procedures for service providers, suppliers, and vendors who have access to critical systems and information; ● Risk and vulnerability management encompassing both proactive and predictive defenses which provides opportunities to assess, remediate, and validate; and ● Managed detection and incident response, including advanced endpoint protection. In evaluating the risks identified as a part of the annual assessment process, the Company’s information technology team considers the likelihood and severity of the respective risk and the potential impact of the risk on the Company, its customers, and its employees. These risks are then prioritized and monitored by the information technology team. The Company conducts periodic testing of software, hardware, defensive capabilities, and other information security systems to assess its cybersecurity readiness and maturity of the cybersecurity program. Tests are conducted by the information technology team and reputable third-party consultants and auditors. In developing and evaluating the testing procedures, the Company considers both its individual risks and industry standards. The cybersecurity risk management program includes an incident response plan with a cross-functional team comprised of designated members of the information technology department, senior management, and other appropriate individuals. The team is responsible for assessing and managing the cybersecurity incident response process, as outlined within the incident response plan, and taking necessary corrective actions to mitigate and eliminate the issue. As of the date of this report, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition that are required to be reported in this Form 10-K. For further discussion of the risks associated with cybersecurity incidents and potential impact to the Company, see the cybersecurity risk factor within “Item 1A. Risk Factors” in this Form 10-K. Governance The information technology department, led by the Senior Vice President of Technology and Planning, Chief Information Officer (“CIO”), is responsible for the Company’s cybersecurity program. The CIO, along with the certified Information Security Officer and VP Information Technology have significant experience spanning over 20 years in information security, infrastructure, and compliance. The Board of Directors considers cybersecurity risk as part of its overall risk oversight function. The Board of Directors receives briefings from the CIO regarding the Company’s cybersecurity risk management program at least annually. These briefings include updates on the Company’s cybersecurity risks and threats, the status of projects to strengthen the information security systems, assessments of the information security program, and the emerging cybersecurity threat landscape.

Company Information