PROCTER & GAMBLE Co 10-K Cybersecurity GRC - 2024-08-05

Page last updated on August 5, 2024

PROCTER & GAMBLE Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-05 16:16:53 EDT.

Filings

10-K filed on 2024-08-05

PROCTER & GAMBLE Co filed a 10-K at 2024-08-05 16:16:53 EDT
Accession Number: 0000080424-24-000083

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy The Company employs multiple tools and processes for assessing, identifying, and managing material risks from cybersecurity threats. A multi-functional enterprise security team reviews and assesses top cybersecurity risks. This assessment is shared with members of senior management, including the Chief Information Officer (CIO) and Chief Information Security Officer (CISO), and helps guide the Company’s cybersecurity operational priorities and strategy. In addition, cybersecurity risks are integrated into the Company’s broader Enterprise Risk Management program and, when identified, are reported to relevant business and governance leaders within the Company for appropriate action. To support the ongoing identification and management of cybersecurity issues, the Company provides information security employee training, conducts global and targeted phishing simulation campaigns and conducts tabletop exercises. The Company also deploys a large library of security tools and experts to help prevent, detect, contain, eradicate and recover from potential cybersecurity issues and cyber-attacks. Further, the Company engages third-party consultants and services for cyber intelligence, insights and assessments of its cybersecurity risk posture and governance. Cybersecurity reviews are embedded into the Company’s Third-Party Risk Management program. Generally under this program, third parties that process personal data or high-risk business data on behalf of the Company complete privacy and cybersecurity assessments on a risk basis, which may require such third parties to sign data processing agreements, comply with particular security controls or complete an additional security and privacy assessment. As a global company, we manage a variety of cybersecurity threats and cannot wholly eliminate the risk of adverse impacts from such incidents. However, as of the date of this Form 10-K, we have not identified any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of our operations or financial condition. For additional information on the risks from cybersecurity threats that we have faced in the past and expect to continue to face in the future, please refer to the “Risk Factors” in Part I, Item 1A of this Form 10-K. Governance The Company’s Board of Directors oversees cybersecurity risks consistent with its general risk oversight responsibility. The Audit Committee of the Board has specific responsibility for reviewing the status of the security of the Company’s electronic data processing information systems and the general security, including cybersecurity, of the Company’s people, assets and information systems. In support of this general oversight, the full Board reviews at least annually the most significant enterprise risks facing the Company, including cybersecurity risks, as identified in the Company’s Enterprise Risk Management program. This review, which includes key members of senior management, covers any key risks from information security that have been identified and corresponding action plans. The Audit Committee also receives regular updates from the Company’s CIO and CISO about the Company’s information security and systems security programs and plans, including emerging trends and progress on overall enterprise cybersecurity programs and priorities. These updates occur at least three times a year, with interim updates as needed. The Company’s management is responsible for implementing its strategic plans, including identifying, evaluating, managing and mitigating the risks inherent in them, such as cybersecurity risks. Within management, the Company’s CISO has specific responsibility for cybersecurity risk management, reporting to the CIO. The Company’s CISO has over 15 years of experience in cybersecurity, information security and information risk management, including several years each in security engineering and in operations, as well as running incident response organizations. The CISO’s organization includes a dedicated team of centralized information security experts and a network of security professionals embedded in each business unit and function. The CISO also leads the design and development of the Company’s cybersecurity program, relying on functional experts within the central Information Security organization as well as on information security experts within each of the Company’s Organizational Units. These embedded experts are responsible for the execution of the Company’s overall information security strategy and report security risks in their area of responsibility to their Organization Unit leader and to the CISO. Experts within the Company’s central Information Security organization help develop the Company’s cybersecurity strategies, policies and standards and similarly report security risks within the central enterprise to the CISO. 10 The Procter & Gamble Company A central team within the Company leads enterprise-wide incident investigations and response, assisting and consulting on cyber security incidents impacting individual Organizational Units. Alerts of potential incidents can arise from security tool alerts, employee reports, threat intelligence sources, threat hunting activities or external entities, among other sources. The Company’s Security Operations Center initially responds to incident alerts and notifies central experts to any potentially significant cybersecurity incidents. Members of the Security Operations Center and relevant response teams work to contain and eradicate potential and identified threats and support the system’s recovery efforts, advised as needed by the Legal department and other Company experts. Incidents are communicated to the CISO and other members of management, including the Company’s Ethics & Compliance Committee, as well as the Audit Committee of the Board, based on documented escalation criteria. The central enterprise team also regularly reviews incident reports to update the CISO. As described above, both the CIO and CISO report information about the Company’s identification and management of cybersecurity risks to the Audit Committee.

Company Information