LANCASTER COLONY CORP 10-K Cybersecurity GRC - 2024-08-22

Page last updated on August 22, 2024

LANCASTER COLONY CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-22 07:43:30 EDT.

Filings

10-K filed on 2024-08-22

LANCASTER COLONY CORP filed a 10-K at 2024-08-22 07:43:30 EDT
Accession Number: 0000057515-24-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity RISK MANAGEMENT AND STRATEGY We have processes to identify, assess, monitor, and manage material risks related to information technology, including cybersecurity threats, vulnerability management, incident management, data protection and retention, and fraud prevention. Our Enterprise Risk Management process evaluates and mitigates cybersecurity risks in alignment with our business objectives and operational needs. We periodically engage third-party security firms and consultants to oversee and identify cybersecurity risks; the results of these assessments are reported to our Audit Committee. Our service providers, and third-party hardware or software applications on our networks and company-issued devices, may pose cybersecurity risks. As a result, we assess these parties for cybersecurity risks using information supplied by our counterparty and/or third parties. Internal or external audits are conducted based upon the level of risk presented. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk management assessment program, as well as our cybersecurity-specific risk identification program. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways. As part of the cybersecurity program, our information systems are monitored by automated tools and the Information Technology team. We have adopted an Incident Response Policy, which outlines the procedures we believe are necessary to identify, investigate, contain, communicate, respond, remediate and recover from a security incident. This Incident Response Policy is overseen by our Vice President of Infrastructure and Security (“VP Infrastructure”) along with the Incident Response team, which may consist of members from legal, human resources, finance or other functions, if necessary. The Incident Response Policy provides organizational and operational structure, processes, and procedures to our personnel so that employees can respond to incidents that may affect the function and security of our IT assets, information resources, and business operations. We conduct periodic information security awareness training for employees and provide related educational materials. While we have been subject to cyber attacks, the expenses (including penalties and settlements, of which there were none) related to such incidents were immaterial, and the risks related thereto have not been and are not reasonably likely to be material to our business strategy, results of operations or financial condition. Any significant disruption to our ability to transact business could adversely affect our business performance as well as our reputation. We describe whether and how risks from cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, in Item 1A Risk Factors - “Risks Related to Cybersecurity and Information Technology,” which is incorporated by reference herein. GOVERNANCE Our Audit Committee of the Board of Directors is responsible for oversight of risks from cybersecurity threats. Our Audit Committee receives quarterly reports from our Enterprise Risk Management Committee (“ERM Committee”), as well as directly from our Chief Information Officer (“CIO”) or VP Infrastructure, periodically, as appropriate. These reports cover various cybersecurity matters, including risk assessments, risk prevention and mitigation activities, and incident reports along with remediating actions, areas of emerging risks, industry trends, and other areas of importance. Furthermore, our Audit Committee oversees our annual enterprise risk assessment. This assessment encompasses key risks associated with security, technology, and cybersecurity threats in the same manner as other key risks. Our cybersecurity risk management processes are led by our CIO and our VP Infrastructure. Our CIO has served our company in that capacity since 2018 and held CIO or other IT and cybersecurity leadership roles at other companies for more than 10 years prior to that. He has a master’s degree in computer systems from the Naval Postgraduate School. Our VP Infrastructure, who is responsible for our information technology infrastructure and our information security strategy and operations, has more than 30 years of experience in information technology, serving in senior IT leadership roles with responsibility for cybersecurity at our company since 2007. His IT expertise was established prior to that through education and work experience in a variety of technical positions in the consumer goods, health care, and aerospace industries. They are supported by a team of skilled information security professionals within our Information Technology function. This team provides periodic updates to our ERM Committee, composed of our Chief Executive Officer, Chief Financial Officer, General Counsel, and other members of our senior leadership.

Company Information