CONAGRA BRANDS INC. 10-K Cybersecurity GRC - 2024-07-11

Page last updated on July 16, 2024

CONAGRA BRANDS INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-07-11 16:30:44 EDT.

Filings

10-K filed on 2024-07-11

CONAGRA BRANDS INC. filed a 10-K at 2024-07-11 16:30:44 EDT
Accession Number: 0001558370-24-009764

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBER SECURITY Risk Management and Strategy Assessing, Identifying and Managing Material Risks Our cybersecurity program is focused on assessing, identifying, and managing risks arising out of our use of information technology including the risk of cybersecurity incidents and threats. Our program is informed by recognized frameworks (such as the U.S. Department of Commerce’s National Institute of Standards and Technology Cybersecurity Framework) and leverages external and internal expertise. Our program is integrated into our operations and is widely communicated to employees through annual employee and contractor cybersecurity awareness training, regular awareness exercises, and employee outreach activities including cybersecurity tech talks, on-site digital signage, intranet resources, CEO cybersecurity champion recognition at quarterly town hall meetings, and other targeted communications. These awareness measures are coupled with ongoing implementation of technology aimed to reduce vulnerabilities (including external testing and validation) and to monitor and assess threats. Our program includes monitoring on an ongoing basis by automated tools that detect threats and trigger alerts for assessment, investigation, and remediation by our internal cybersecurity team. Integration with Enterprise Risk Management The cybersecurity program is an important part of the Company’s enterprise risk management (ERM), with our Senior Vice President & Chief Information Officer serving on our ERM Committee and our Vice President of ERM serving as the strategic crisis management coordinator under our cybersecurity incident response plan. We have developed processes for managing cybersecurity incidents including clear allocation of responsibilities and defined incident classifications, escalation requirements based on materiality, and prioritization parameters. Our cybersecurity incident response plan is integrated into our ERM Committee risk mitigation action plan process, our Senior Leadership Team (SLT) strategic crisis management action plan process, and our Disclosure Committee protocol for cybersecurity incidents. We also maintain business continuity and disaster recovery plans to prepare for potential information technology disruptions. Cybersecurity Program Components Our cybersecurity program structure consists of our cybersecurity operations center; identity and access management; governance, risk, and compliance; architecture; and operational technology. Aspects of our program include: ● Activities to assess vulnerabilities including penetration testing, red teaming, tabletop exercises, and phishing and social engineering drills ● Engagement with law enforcement and U.S. government agencies, directly and through memberships in various cybersecurity intelligence and risk sharing organizations to help us stay informed about evolving threats ● Utilization of third-party experts to test, validate, and strengthen our plans, practices, and policies ● Technology team collaboration sessions to share information across different teams, geographic areas, and areas of responsibilities ● Assessing and managing cybersecurity risks arising out of the use of third-party technology and services, including pre-contract diligence, imposition of contractual obligations, and performance monitoring Learnings from these activities are used to inform our training, guide our incident response preparedness and enhance our plans and processes. We have also participated in discussions with third-party service providers who have experienced cybersecurity incidents to inform our cybersecurity program. Investment in Cybersecurity Program The cybersecurity threat landscape is dynamic and volatile, and requires significant investment on the part of the Company in terms of investing in our employees through talent recruitment, retention, training and development, investing in external resources including procuring and deploying the correct tools to monitor, evaluate, and address threats, investing employee resources to maintain effective processes, and investing in strategic relationships to monitor evolving risks including third-party service provider vulnerabilities. While our third-party services providers have experienced cybersecurity incidents and we have experienced threats to our data and systems, to date, we are not aware that we have experienced a breach that had a material impact on our operations or business, however, cybersecurity risks that may materially impact the Company are discussed in more detail in Item 1A of Part I, “Risk Factors,” under the heading “Cybersecurity and Information Technology Risks,” which should be read in conjunction with the foregoing information. Governance General Our management is responsible for identifying, assessing, and managing our exposure to cybersecurity risk. Management identifies and assesses risks through its cross functional ERM committee that is responsible for: ● Facilitating risk conversations with cross-functional leaders and teams ● Partnering with risk owners to develop risk management action plans focused on mitigating the drivers of the enterprise risks ● Identifying key metrics to objectively assess the risk to the Company applying both a short-term and long-term perspective ● Informing our strategic planning based on risks assessments after consideration of action plans and residual risk ● Developing a risk-aware culture throughout the organization Our Board of Directors and its Audit / Finance Committee play an active part in overseeing cybersecurity risks relevant to the Company. The Board and its Audit / Finance Committee routinely receive reports from our management and external advisors on critical risk areas. Management The Company maintains a dedicated internal cybersecurity team that is supported by internal and external software, third-party experts, and threat intelligence resources. Members of our cybersecurity team provide cybersecurity reports to our Board, SLT, and cross-functional leaders and teams. The internal cybersecurity team is responsible for implementing our cybersecurity strategy including policies, standards, architecture, and processes including our processes for identifying cybersecurity risks and threats and recommending mitigating actions to strengthen cybersecurity resilience. In addition, our internal cybersecurity team is responsible for managing detection, mitigation, and remediation of all cybersecurity incidents. Conagra’s Cybersecurity Team is led by our Chief Information Security Officer (CISO). Our CISO, a certified information security professional, has over 25 years of cybersecurity leadership experience across multiple industries and holds a Doctor of Science (DSc) degree in Cybersecurity. The CISO reports to our Chief Information Officer (CIO), who has been with Conagra for more than 20 years serving in various leadership roles in information technology, finance, and business services. We believe our CIO possesses a firm understanding of the Company’s cybersecurity landscape, risks, and knowledge of the capabilities of our cybersecurity and information systems personnel. Additionally, members of our internal cybersecurity team have experience in cybersecurity risk management, threat monitoring, threat emulation, penetration testing, cyber incident response management, and data protection. Team members have both individual responsibilities and a team focus, and manage both internal and third-party cybersecurity risk mitigation, covering areas such as network, endpoint device, and e-mail security as well as operations and threat management, monitoring, and response. Our CISO, CIO and CFO are responsible for determining that the Company has appropriate people, process and technology capabilities to identify, mitigate and report on cybersecurity risks to the SLT and Board of Directors. Our cybersecurity incident response plan provides that our ERM, strategic crises management coordinator is informed about significant cybersecurity incidents for escalation to our internal Incident Disclosure Committee, SLT, and Board, as appropriate in accordance with our strategic crisis management action plan. Our cybersecurity incident response team is responsible for maintaining our cybersecurity incident response plan, which is periodically tested through our tabletop exercises. We have involved outside experts, our strategic crises management coordinator, members of our SLT, and members of our Incident Disclosure Committee in our tabletop exercises and preparedness drills to strengthen these response plans. Additionally, our Corporate Cybersecurity Steering Committee, chaired by the CISO and whose members include our Senior Vice President, Corporate Controller (our principal accounting officer), as well as other members of the information technology, finance, supply chain, security and facilities, research and development, product, human resources, and legal teams, meets regularly to provide a forum for senior leaders and key stakeholders to strengthen their understanding and strategize on managing cybersecurity challenges at the Company. Board of Directors and its Audit/Finance Committee Our Board and its Audit/Finance Committee exercises oversight over our enterprise risk management including our cybersecurity program. The Audit/Finance Committee receives updates from our CIO or CISO at each of its regularly scheduled meetings regarding matters related to information technology and cybersecurity including the state of the Company’s cybersecurity programs, emerging cybersecurity developments and threats, and the Company’s strategy to mitigate cybersecurity risks. Additionally, our full Board receives reports on our cybersecurity program at least annually which includes a review of our cybersecurity incident response plans which are described above.

Company Information