ESTEE LAUDER COMPANIES INC 10-K Cybersecurity GRC - 2024-08-19

Page last updated on August 19, 2024

ESTEE LAUDER COMPANIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-19 12:59:14 EDT.

Filings

10-K filed on 2024-08-19

ESTEE LAUDER COMPANIES INC filed a 10-K at 2024-08-19 12:59:14 EDT
Accession Number: 0001001250-24-000116

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy Our enterprise risk management framework considers cybersecurity risk in conjunction with our other Company risks as part of the overall risk assessment process. Our enterprise risk management team collaborates with the information security function, led by the Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”), to gather their insights and risk mitigation strategies for managing cybersecurity threats. This integrated approach helps us assess, identify, and manage cybersecurity risks along with our other operational, financial and strategic risks, assisting in more effectively managing interdependencies among risks and enhancing risk mitigation strategies. We have implemented a cybersecurity program including processes, technologies, and controls to assess, identify, and manage material risks from cybersecurity threats. This program includes implementing new technologies to proactively identify and monitor new vulnerabilities and reduce risk, conducting due diligence of third-party vendors’ information security programs, maintaining security policies and standards and regularly updating and testing our response planning and protocols. We maintain a formal information security training program for employees that includes training on matters such as phishing and email security best practices. Employees are also required to complete mandatory training on data privacy. We also have a third-party cybersecurity risk review process, including requiring key third-party service providers to complete initial and periodic security assessments, which prioritizes, monitors and assesses the risks associated with our third-party service provider interactions. To evaluate and enhance our cybersecurity program, we periodically utilize third-party experts to undertake maturity assessments of the program. We have also adopted a cybersecurity incident response plan that is designed to effectively identify, analyze, contain, remediate and eradicate, escalate, report, and appropriately document cybersecurity incidents. The plan also includes a materiality assessment framework that sets forth procedures and escalation protocols to support our assessment of whether a cybersecurity incident is material and subject to SEC reporting requirements. Such escalation protocols include the involvement of the CISO and other senior leaders across various functions, including finance, legal, privacy and global communications, as appropriate. We also maintain insurance coverage that, subject to its terms and conditions, is intended to address costs associated with certain aspects of cybersecurity incidents. We have experienced cybersecurity incidents of varying degrees on our information technology; however, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business strategy, results of operation or financial condition. However, we cannot eliminate all risks and the compromise or interruption of, or damage to, our information technology (including our operational technology and websites) by cybersecurity incidents could have a material negative impact on our business. For a more detailed discussion of the risks, see Risks related to Technology and Cybersecurity Matters within Item 1A. Risk Factors . Governance The Audit Committee of the Board of Directors oversees our information security program, which includes oversight of the cybersecurity program and management of cybersecurity risks. The Audit Committee receives at least semi-annual updates from the CISO, which typically address our cybersecurity strategy, initiatives, key security metrics, business response plans and the evolving cyber threat landscape and a detailed threat assessment relating to information technology risks. At the management level, our cybersecurity program is led by the CISO, who is responsible for assessing and managing material risks from cybersecurity threats, including the prevention, mitigation, detection, and remediation of cybersecurity incidents. The CISO is informed about cybersecurity threats and incidents in accordance with the cybersecurity incident response plan as discussed above. The CISO, who reports to the CIO, regularly provides updates to the Chair of the Audit Committee and Chief Financial Officer. We also have protocols by which certain cybersecurity incidents are reported promptly to the Chair of the Audit Committee and Chief Financial Officer, as appropriate. The Company’s CISO has served in various cybersecurity roles for over 20 years, leading a variety of cybersecurity and risk capabilities and also holds multiple cybersecurity certifications such as Certified Information Systems Security Professional, Certified Information Systems Auditor, and Certified in Risk and Information Systems Control.

Company Information