CASEYS GENERAL STORES INC 10-K Cybersecurity GRC - 2024-06-24

Page last updated on July 16, 2024

CASEYS GENERAL STORES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-24 10:38:36 EDT.

Filings

10-K filed on 2024-06-24

CASEYS GENERAL STORES INC filed a 10-K at 2024-06-24 10:38:36 EDT
Accession Number: 0000726958-24-000046

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Information security and data privacy have been, and continue to be, vitally important to the Company. Our Board, in coordination with the Audit Committee, provides oversight of the Company’s major information technology risk exposures, including those related to cybersecurity, data privacy and data security, and oversees the steps management has taken to monitor and mitigate such risk exposures. Cybersecurity and related matters are recurring topics at Audit Committee meetings and the Company’s Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”) regularly provide the Audit Committee, and periodically the entire Board, with updates on the Company’s cybersecurity risk profile and strategy. These updates include both qualitative and quantitative information on the effectiveness of the Company’s cybersecurity controls. Our CIO is responsible for the strategic leadership and direction of the Company’s information technology organization. As a part thereof, the Company has implemented an information security program, directly overseen by our CISO, that consists of controls and processes designed to prevent, detect, and manage reasonably foreseeable cybersecurity risks and threats, and which is based on recognized best practices including the National Institute of Standards and Technology (“NIST”) Cyber Security Framework (“CSF”) and Payment Card Industry Data Security Standard (“PCI DSS”). Our CISO, who has over 38-years of industry experience, and his team, have relevant education and experience assessing and managing cybersecurity programs and cybersecurity risks across a mix of enterprises, including the retail industry. Together with a third-party, the CISO and his team also operate a 24/7 Security Operations Center to monitor the cybersecurity environment and coordinate escalation and remediation of alerts, and we incorporate many other resources to maintain readiness to withstand and respond to a cyber incident including but not limited to incident response tabletop exercises, system recovery exercises, simulated phishing email exercises and security awareness training. Our CISO and his team have also developed processes to oversee and identify material cybersecurity risks associated with our use of third-party service providers who access our information technology systems, which includes leveraging our vendor risk management program designed to assess and manage the cybersecurity risks associated with these partnerships. As part of the program, our governance, risk and compliance team conducts due diligence as a part of onboarding new vendors and maintain ongoing evaluations to ensure compliance with our security standards. The Company has a Cybersecurity Incident Response Plan (“the Plan”), integrated into our enterprise crisis management and business continuity program, which provides protocols and procedures for evaluating and responding to material cybersecurity incidents, including incident handling, disclosure and reporting, notification to senior management, the Board and relevant committees, and meeting external reporting obligations. As part of the Plan, the Company has also established an Incident Response Governance Team, co-chaired by our CISO and VP, Deputy General Counsel, which is a cross-functional group comprised of relevant stakeholders throughout the organization responsible for organizing the assessment, investigation and response to any material cybersecurity event. As of the date of this report, no cybersecurity incidents have had, either individually or in the aggregate, a material adverse effect on our business, financial condition or results of operations. Notwithstanding the comprehensive approach we take to information security, there can be no assurance that our security efforts and measures, and those of our third-party service providers, will prevent or mitigate all incidents that could have a material adverse effect on our business, financial condition or results of operations. For additional information regarding the risks to us associated with cybersecurity incidents, see Item 1A entitled “Risk Factors.”

Company Information