Performance Food Group Co 10-K Cybersecurity GRC - 2024-08-14

Page last updated on August 15, 2024

Performance Food Group Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-14 16:15:34 EDT.

Filings

10-K filed on 2024-08-14

Performance Food Group Co filed a 10-K at 2024-08-14 16:15:34 EDT
Accession Number: 0000950170-24-097033

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We rely upon information technology networks and systems to process, transmit, and store electronic information, and to manage or support virtually all of our business processes and activities. Accordingly, we maintain a comprehensive Information Security Program, anchored in a multi-tiered, defense-in-depth strategy designed to identify and mitigate risks from cybersecurity threats. We believe that our Information Security Program aligns with industry frameworks and assesses security trends, and facilitates identification and reduction of vulnerabilities. Our cybersecurity strategy considers existing risks to our company and those that we are likely to encounter based on our industry, company profile, and business objectives. Consideration of risks from cybersecurity threats is a key component of our overall enterprise risk management strategy. We have implemented a risk management program to identify and track information risks, including cybersecurity threats, from many different sources, including third parties, technology projects, acquisitions, risk assessments, technical assessments, and internal/external audits, and assesses them based on severity. Our annual information technology general control testing, which is conducted in connection with our internal control over financial reporting review process, and periodic reviews of risks and controls related to cybersecurity threats that may impact financial reporting control objectives also serve to identify and track information risks. Additionally, we partner with independent third-party service providers to perform cybersecurity assessments, such as network and application penetration testing. To emphasize the importance of cybersecurity awareness, advise of cybersecurity threats, and provide examples of how to mitigate such threats in their use of PFG systems, we also maintain an information security training program that combines several forms of training, including routine phishing exercises, across our workforce. We acknowledge the potential cybersecurity risks inherent in our relationships with third parties. Accordingly, PFG has implemented a third-party risk management program to identify and oversee such risks. Our third-party risk assessment framework evaluates the cybersecurity practices and controls of third parties. Activities undertaken in relation to third parties may include due diligence inquiries, reviewing security policies and program capabilities, reviewing security certifications and results of independent 21 audits. Review and establishment of contractual requirements is performed in accordance with the level of risk presented by a third party. We maintain a regularly revised Cybersecurity Incident Response Plan and Cybersecurity Incident Notification Policy, which provide protocols for evaluating and responding to cybersecurity incidents, including escalation of information to senior leadership, including the Board of Directors, as appropriate, and meeting external reporting obligations. We periodically perform tabletop exercises where we perform walkthroughs of cybersecurity incident situations to test our response plans. To date, we have not experienced any cybersecurity incidents that materially affected, or are likely to materially affect, our business strategy, results of operations, or financial condition, but future incidents cannot be predicted . See " Item 1A. Risk Factors " for additional information regarding cybersecurity-related risks that could impact our business. Governance Our Board of Directors executes its cybersecurity risk oversight function as a whole and by delegating responsibility to the Technology and Cybersecurity Committee of our Board of Directors, which oversees our management of risks relating to information technology security and our cybersecurity policies, controls and procedures. The Audit and Finance Committee of our Board of Directors oversees our enterprise risk management program as a whole and risk management regarding major financial risk exposure, including the potential financial impact of cybersecurity incidents. The Technology and Cybersecurity Committee receives quarterly presentations and reports on cybersecurity and information security risks from management, including our Executive Vice President and Chief Information Officer (“CIO”) and Vice President, Chief Information Security Officer (“CISO”). These presentations and reports address a broad range of topics, including progress of security initiatives, strategy, key performance indicators, cybersecurity risks, and notable cybersecurity incidents. In addition, the Technology and Cybersecurity Committee and the Board of Directors receive briefings from time to time from outside experts for an independent view on cybersecurity risks, including best practices and current trends in cybersecurity. Our CIO’s experience includes over 25 years of experience in information technology leadership roles, including ProBuild Holdings, the nation’s largest supplier of building materials; Gates Corporation, a manufacturer/distributor of automotive parts; and Nupremis Inc., a start-up that provided hosting and managed services. We also have a dedicated CISO, whose team is responsible for management of PFG’s Information Security Program, policies, compliance with internal/external mandates, strategy, security incident planning and response. Our CISO reports to our CIO and has more than 20 years of cybersecurity, technology assurance and controls experience, including 17 years as a Certified Information Systems Security Professional (CISSP) and 12 years at PFG in information security and compliance. Our CISO joined PFG following several years of experience working in information security consulting, including Big 4 Accounting and Assurance, as well as working in industries including banking and finance. 22

Company Information