SYSCO CORP 10-K Cybersecurity GRC - 2024-08-27

Page last updated on August 28, 2024

SYSCO CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-27 18:06:55 EDT.

Filings

10-K filed on 2024-08-27

SYSCO CORP filed a 10-K at 2024-08-27 18:06:55 EDT
Accession Number: 0000096021-24-000128

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We use technology in substantially all aspects of our business operations, and our ability to serve customers effectively depends on the reliability of our technology systems. Greater use of technology and digitization in operations has delivered benefits to our business, while also exposing us and others in our industry to new vulnerabilities in corporate and operational systems. Additionally, our business operations leverage third-party vendors and systems, which makes us susceptible to various cyber threats. The scale, scope, and complexity of our business raises a multitude of interdependent risks, which can vary over time. A primary responsibility of our leadership team, subject to oversight by our Board of Directors and specifically, our Board’s Technology Committee, is to design and implement processes to identify, prioritize, assess, monitor and manage enterprise-level risks associated with cybersecurity threats. We have a dedicated cybersecurity team that collaborates with compliance, privacy, legal, and other teams across the global organization to assess the cybersecurity risk landscape. Our cybersecurity oversight function, which is led by our Chief Information Security Officer (CISO) and also includes our Chief Information Officer (CIO), Chief Executive Officer, Chief Financial Officer and General Counsel, directly oversees the cybersecurity and risk management process, which incorporates input from personnel from different functions, levels, and operating regions to support a high level of visibility and accountability throughout the company and to incorporate multiple vantage points on risks and potential mitigations. The cybersecurity oversight function meets at least quarterly to discuss key risks and to discuss mitigation strategies. The results of our cybersecurity team process are communicated to the leadership team and its risk & reputation committee (the RRC) at least quarterly. The Technology Committee of the Board of Directors oversees cybersecurity risks and receives cybersecurity reports from our CISO and regularly conducts in-depth cybersecurity discussions. Our CIO and CISO have extensive experience in the areas of cybersecurity and risk management. Our CISO has more than 20 years of experience in Information Technology, including cybersecurity leadership roles. Our CIO, who oversees the cybersecurity team and reports directly to our Chief Executive Officer, has over 20 years of experience in information technology strategy, services, operations, risk and cybersecurity for large global enterprises. Cybersecurity risks are included in the risk universe that the RRC evaluates, with input from information security subject matter experts at the company, to assess top risks to the enterprise. The RRC process provides input into our strategic planning process, such as development of action plans to address and mitigate identified risks. Integrating cybersecurity risk into the overall RRC process in this manner assists the company in identifying, assessing, and managing material cybersecurity risks. 20 Our cybersecurity program is designed to be aligned with applicable industry standards and is assessed regularly by internal and external cybersecurity experts. The multifaceted nature of our cybersecurity measures includes aspects of prevention, detection, and response capabilities, employee training programs, threat intelligence monitoring, and the implementation of an array of technologies. We have established processes to oversee and identify cybersecurity risks associated with the use of third-party service providers, which includes (i) the completion of due diligence before engaging with any third party, (ii) controls for response to mitigate any significant risks, and (iii) assessments and reviews during the course of the relationship. Additionally, we have ongoing partnerships with government and commercial cybersecurity experts to understand emerging cybersecurity threats. We seek to detect and investigate suspected attacks against our network, products, and services, and to prevent their occurrence and recurrence where practicable through changes or updates to our internal processes and tools; however, we still remain potentially vulnerable to known or unknown threats. Our cyber incident response plan includes an escalation process if a cybersecurity incident meets specific rating criteria to trigger action designed to minimize potential disruptions and protect the integrity of our operations. The cyber incident response plan has been reviewed by external experts and is reviewed internally annually. We also conduct periodic cybersecurity tabletop exercises where we perform walkthroughs of cyber incident scenarios with senior management to test and enhance preparedness. During the year ended June 29, 2024, the company has not identified risks from cybersecurity threats, including as a result of prior cybersecurity incidents, that have materially affected or are reasonably anticipated to materially affect the company, including its business strategy, results of operations, or financial condition. Nevertheless, the company recognizes cybersecurity threats are ongoing and evolving and has seen an increase in cyberattack volume, frequency and sophistication. We are committed to supporting the governance and oversight of cybersecurity risks and to implementing mechanisms, controls, technologies, and processes designed to help the company assess, identify, and manage these risks. For more information on the company’s cybersecurity risks, refer to Item 1A, “Risk Factors.”

Company Information