BROWN FORMAN CORP 10-K Cybersecurity GRC - 2024-06-14

Page last updated on July 16, 2024

BROWN FORMAN CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-14 16:01:37 EDT.

Filings

10-K filed on 2024-06-14

BROWN FORMAN CORP filed a 10-K at 2024-06-14 16:01:37 EDT
Accession Number: 0000014693-24-000086

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management Strategy and Processes Our Chief Information Security Officer (CISO) leads our Global Information Security team, reports to the Chief Information Officer (CIO), and meets regularly with other members of senior management. Our CISO holds advanced degrees in Computer Science and Business Administration, in addition to relevant IT and cybersecurity certifications from organizations such as the EC Council, ISACA, and CSA. She has served in various IT roles for over 20 years, including leading the IT Security function. Our Global Information Security Team is responsible for the information security strategy, policy, security engineering, operations, and cyber threat detection and response. Our Global Information Security Team, which includes a security operations center, seeks to protect the company against reasonably foreseeable cyber threats and risks. The cybersecurity team members have the qualifications and certifications for their roles. They also have relevant industry experience in selecting, deploying, and operating cybersecurity technologies, initiatives, and processes globally. We also rely on threat intelligence as well as other information obtained from governmental, public, or private sources, including external consultants that we engage. We have made significant investments in people, processes, and technology to protect the confidentiality, integrity, and availability of our IT systems. As part of that effort, we utilize the National Institute of Standards and Technology Cybersecurity Framework as a guide for our security controls. We are also continuing to advance towards an architecture based on “Zero-Trust” principles, where we continuously validate the identity and security posture of every user, device, application, or network component trying to leverage our IT resources. In addition, our employees undergo annual security awareness training to improve their understanding of cybersecurity threats, and their ability to identify and escalate potential threats. In the event of an incident, we leverage a multi-layered set of plans that include, Endpoint Detection and Response software, Security Information and Event Management tools for detection, and a Cybersecurity Incident Response Plan and Disaster Recovery Response Plan for recovery. The recovery plans outline the steps to be followed from incident detection to mitigation, recovery, and notification, including notifying designated functional leadership teams, the Disclosure Committee, the General Counsel, other senior leadership, and the Board of Directors, as appropriate. These designated leaders assess various factors, including operational, financial, legal, regulatory, reputational impacts on the Company to determine the materiality of the incident and the appropriate response.. 24 We have established a tiered risk management strategy that helps us to evaluate our ability to protect assets (data and systems) by identifying, assessing, and prioritizing associated risk through, among other tools, the use of a non-affiliated third party assessor, audits by our internal audit team, tabletop exercises, penetration and vulnerability testing, and simulations. We report the results of these assessments to the Audit Committee of the Board of Directors. We rely on third party service providers to deliver our products and services to our customers, including many of our technology initiatives. A cybersecurity incident at a supplier, subcontractor, or joint venture partner could materially adversely impact us. We evaluate third party providers from a cybersecurity risk perspective, which may include an assessment of that service provider’s cybersecurity posture through a questionnaire and include security and privacy addenda to our contracts where applicable. However, we rely on the third parties we use to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful. Our systems periodically experience directed attacks intended to lead to interruptions and delays in our service and operations as well as loss, misuse, or theft of personal information (of third parties, employees and their beneficiaries, and customers) and other data. These incidents have not had a material impact on our services, system, or business during the past reporting period. However, despite our capabilities, processes, and other security measures we employ, we may not be aware of all vulnerabilities or might not accurately assess the risk of an incident. Additional information on cybersecurity risks we face can be found in Item 1A. Risk Factors, which should be read in conjunction with the foregoing information. Cybersecurity Governance The Board of Directors oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. The Board of Directors has delegated oversight of risks related to cybersecurity to the Audit Committee. The Audit Committee regularly reports on its activities and findings with respect to risks from cybersecurity threats to the full Board of Directors. The Audit Committee oversees our cybersecurity posture to assess key strategic, operational, and compliance risks. Our CIO and CISO update the Audit Committee on a quarterly basis regarding cyber risks, the threat landscape, reports on our security roadmap, risk mitigation and governance, and any cybersecurity incidents. The Company’s Information Technology, Enterprise Security, Internal Audit, as well as the Legal and Privacy teams work closely to identify issues and incidents in a timely manner, and report them to senior leadership, the Board of Directors, and appropriate regulatory bodies, as appropriate. Assessing, identifying, and managing cybersecurity risks are integrated into our overall enterprise risk management (ERM) framework that provides risk quantification, scenario analysis to determine the potential impact on the enterprise, and processes to manage risk within the parameters of the organization’s risk appetite. Additionally, ERM provides support to the decision making process to enable cybersecurity risk owners to accomplish the desired level of asset protection and alignment consistent with the organization’s strategy. The ERM work is presented annually to the Audit Committee and Board of Directors, including the management of top risks and the review of emerging risks. 25

Company Information