SANFILIPPO JOHN B & SON INC 10-K Cybersecurity GRC - 2024-08-21

Page last updated on August 22, 2024

SANFILIPPO JOHN B & SON INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-21 16:09:16 EDT.

Filings

10-K filed on 2024-08-21

SANFILIPPO JOHN B & SON INC filed a 10-K at 2024-08-21 16:09:16 EDT
Accession Number: 0000950170-24-099489

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C - Cybersecurity Overview and Leadership The Company maintains a company-wide risk management system focused on detecting, identifying, defending against and mitigating the impact of cybersecurity risks in order to guard our information technology systems and protect the confidentiality, integrity, and availability of our information technology processes and data. Our Board of Directors (the “Board”) is responsible for the oversight of cybersecurity risks, including through the delegation of certain cybersecurity oversight authority to the Audit Committee of the Board. The Company’s information security function and management team is led by our Vice President of Information Technology and Cybersecurity, who has approximately 38 years of experience in the information technology area and holds the CISM certification, and our Senior Director of Information Technology Infrastructure and Cybersecurity, who has approximately 25 years of experience in the information technology area and holds CISSP, CCSP, CISM, and OSCP certifications. The information security team is responsible for monitoring, managing and assessing cybersecurity risks and threats on a day-to-day basis. In particular, the information security team monitors, assesses and mitigates threats and is responsible for improving and strengthening the Company’s cybersecurity environment. As discussed below, the information security team works with nationally recognized third parties and licenses various cybersecurity tools and products to assist with assessing and managing cybersecurity risks. The information security team regularly interacts and discusses cybersecurity matters with our Chief Executive Officer, Chief Financial Officer, Chief Operating Officer and General Counsel as part of our company-wide risk management system. The information security team has plans and processes in place to escalate certain cybersecurity issues to senior management and the Board or the Audit Committee, including for consideration of whether, when and how to publicly disclose any material cybersecurity event. In addition, we maintain insurance to help reduce our exposure from potential losses should a cybersecurity incident arise. The information security team undertakes or engages in the following practices and activities, among others, as part of the Company’s risk management system: - updating of software and hardware (including firmware) for vulnerabilities and required patches; - regular employee training and education to identify and avoid cybersecurity risks and threats at each level of the organization; - developing, implementing and testing incident response and information recovery plans to assess and respond to cybersecurity threats and incidents; - collaborating with our internal audit function and other internal teams for the testing of cybersecurity controls and procedures; - identifying and managing cybersecurity risks presented by third parties, including cybersecurity vendors, cybersecurity software and hardware providers, other vendors and customers, service providers and other parties with access to the Company’s systems and data; as well as the systems of third parties that could adversely impact our operations or business in the event of a cybersecurity incident affecting those third-party systems; - overseeing threat intelligence systems and notification procedures; and - maintaining technology solutions for cybersecurity prevention and defense, including outside firewalls, multifactor authentication systems, separate intrusion prevention and detection systems, anti-virus and anti-malware products and remote access controls. 16 Use of Third Parties The Company has engaged, and intends to continue to engage, nationally recognized third parties to assist the Company in assessing, among other things: - emerging cybersecurity risks; - threat identification; - threat neutralization; - cybersecurity environment testing; - penetration testing; - phishing and social engineering methods; and - best practices for continued compliance and training. We also have engaged a nationally recognized third party to assist with a tabletop exercise to test our readiness in respect to certain of the preceding events and risks. When risks or threats are identified to the Company by a third party, the information security team is responsible for assessing the risk or threat and determining a course of action to mitigate the risk or neutralize the threat. Impact of Cybersecurity Events While no previous cybersecurity incidents have materially affected the Company, a cybersecurity incident could have a material impact on the Company’s results of operations and financial condition. As described above under “Item 1A-Risk Factors " Technology Disruptions, Failures or Breaches, Hacking Activity, Ransomware Attacks or Other Cybersecurity Events Could Materially and Adversely Affect Our Financial Condition and Results of Operations” a material cybersecurity incident could disrupt our business, lead to the loss of data or cause us to suffer financial damage, in addition to litigation or remediation costs or penalties. Governance Overview The Board oversees cybersecurity risk through multiple methods. The Audit Committee of the Board has been delegated certain cybersecurity oversight responsibility and, among other things, receives quarterly updates and presentations from the information security team regarding the Company’s cybersecurity environment, cybersecurity risks and threats, cybersecurity projects the Company has implemented and plans to implement and other cybersecurity developments, and such committee reports to the full Board after each meeting. In addition to these quarterly reports to the Audit Committee, the information security team provides a presentation to the Board at least annually regarding the same topics covered with the Audit Committee. In addition, members of the Company’s internal audit team have certain responsibilities with respect to projects designed to test the Company’s cybersecurity controls and improve the overall cybersecurity environment. The Company also has a Risk Assessment Committee composed of selected members of senior management. Member(s) of the information security team are members of this Risk Assessment Committee (which occur at least quarterly) to address cybersecurity risks and discuss cybersecurity threats to the Company. Member(s) of the information security team have the opportunity to present at the Risk Assessment Committee meetings and raise issues and concerns regarding cybersecurity. The minutes of Risk Assessment Committee meetings are provided to the Board and the General Counsel discusses with the Board the matters addressed at the applicable Risk Assessment Committee meeting.

Company Information