GENERAL MILLS INC 10-K Cybersecurity GRC - 2024-06-26

Page last updated on July 16, 2024

GENERAL MILLS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-26 14:50:47 EDT.

Filings

10-K filed on 2024-06-26

GENERAL MILLS INC filed a 10-K at 2024-06-26 14:50:47 EDT
Accession Number: 0001193125-24-168943

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C - Cybersecurity Cybersecurity Risk Management and Strategy Our enterprise risk management framework considers cybersecurity risk alongside other company risks, as part of our overall risk assessment process. We leverage an industry-leading framework, the National Institute of Standards and Technology Cybersecurity Framework, and assess our maturity against that framework in partnership with an independent firm on an annual basis. We assess and manage our cybersecurity risk using various mechanisms, starting with threat intelligence, which provides us a necessary viewpoint to help us identify trends, understand how certain attacks may affect us, and prepare for evolutions in threat actor behavior that may require changes to our security posture. To drive readiness, we perform periodic adversarial testing of our cybersecurity posture through penetration testing, using both internal resources and external expertise, as well as table-top and “red team” exercises to understand where processes or controls may be insufficient based on adversarial techniques. Our internal audit team performs regular assessments of our program and selected components. We also leverage retrospectives from previous cybersecurity incidents to understand weaknesses and to improve our security controls. We assess our critical suppliers regularly for cybersecurity risk and prescribe remediation activities when necessary. As a part of a collaborative defense approach, we regularly participate in multiple cybersecurity forums to share threat intelligence, best practices, and points of caution. We train our employees through annual security training, phishing simulations, and regular communications about timely cybersecurity topics and threats. We have a documented and well-tested cybersecurity incident response plan that guides us in responding, containing, and eradicating cybersecurity threats that have breached our preventative controls. We regularly practice technical recovery, and we maintain cybersecurity insurance. Cybersecurity Governance Our cybersecurity program is led by our Chief Digital and Technology Officer (CDTO) and Vice President of Cyber Security. Our Vice President of Cyber Security, who reports to our CDTO, has a master’s degree in information assurance, and more than 20 years of experience working in this field, including more than 12 years with General Mills. He has strategic and operational responsibility for all aspects of the company’s cybersecurity program, from how cyber risks are identified, to how General Mills detects, responds, contains, and recovers from cybersecurity threats. The Audit Committee of our Board of Directors provides oversight for our cybersecurity program. The Audit Committee receives regular updates from management on the effectiveness of our cybersecurity program, reviews plans on how management will continually mature the program, and receives updates on special topics that help the committee provide effective oversight of the program. 14 Our Security & Resilience Governance Committee provides oversight and governance for the company’s cybersecurity risk through quarterly meetings, monthly dashboard reporting on management-aligned program performance targets, and as-needed updates on cybersecurity incidents. This committee is composed of our Chief Financial Officer, General Counsel, Chief Human Resources Officer, Chief Supply Chain Officer, and CDTO. Like most companies, our systems are continually subjected to cybersecurity threats. Although we have not experienced a material cybersecurity breach, we cannot guarantee that we will not experience a cyber threat or incident in the future. Additional information on cybersecurity risks we face is included in Item 1A of this report, which should be read in conjunction with the information in this Item 1C.
Item 1C.

Company Information