FARMER BROTHERS CO 10-K Cybersecurity GRC - 2024-09-12

Page last updated on September 16, 2024

FARMER BROTHERS CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-12 17:02:59 EDT.

Filings

10-K filed on 2024-09-12

FARMER BROTHERS CO filed a 10-K at 2024-09-12 17:02:59 EDT
Accession Number: 0000034563-24-000070

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Overview We understand the importance of cybersecurity in maintaining the confidentiality, integrity and availability of our systems and data. In order to protect against increasingly sophisticated cybersecurity threats, we have developed, implemented and maintained policies, procedures, and controls to mitigate material risks from cybersecurity threats, including robust protocols for the assessment of information concerning material cybersecurity incidents and the disclosure of such information to investors. These risks are evaluated on an ongoing basis as part of our overall risk management strategy. As discussed in more detail below, we have policies and procedures in place to safeguard our information systems, monitor these systems, protect the confidentiality and integrity of our data, train and raise awareness of cybersecurity threats amongst employees, detect intrusions into our systems, and respond to cybersecurity incidents. Despite these efforts, no system is impenetrable, and we cannot provide assurances that we will timely identify or prevent every cybersecurity attack or incident. Risk Management and Strategy We have established processes for assessing, identifying, and managing material risks from cybersecurity threats and have integrated these cybersecurity processes into our overall risk management system. Specifically, we have adopted a cybersecurity framework which, where appropriate, aligns with the NIST’s Cybersecurity Framework. Further, our systems, where appropriate, are PCI compliant under current standards. We regularly review our Incident Response Plans to ensure readiness if and when an incident does occur. In the event of a cybersecurity incident, if a system does become non-operational, we maintain disaster recovery capabilities to return to normal operation in a timely manner. Our cybersecurity processes to assess and identify cybersecurity risks include periodic risk assessments, deployment of security monitoring tools for continuous monitoring of our information systems, periodic testing for vulnerabilities in our systems, periodic testing of employees’ cybersecurity awareness, and the dispatch of incident-specific cybersecurity alerts, among other procedures. Our Information Security team evaluates cybersecurity risks and works to design and ensure implementation of appropriate controls and safeguards in alignment with our business objectives and operational needs. Management periodically reviews cybersecurity risks as part of the overall risks to the company as part of the enterprise risk management program. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework. We engage various third parties to assess, test, or assist with the implementation of our risk management strategies, policies, and procedures to enhance our detection and management of cybersecurity risks, including but not limited to: consultants who assist with assessing risks, support our PCI compliance assessments, assess our systems alignment with the NIST Cybersecurity Framework, and test and/or scan for vulnerabilities. We rely on software, hardware, and network systems, including cloud-based technology, which are either developed by us or licensed from or maintained by third parties to maintain operations. Cybersecurity Governance Management The Company’s Director of Infrastructure & Security leads its cybersecurity program and reports to the Company’s Vice President of Information Technology. The Director of Infrastructure & Security is responsible for management of cybersecurity risk and protection and defense of the Company’s networks and systems. The Director of Infrastructure & Security manages a team of cybersecurity professionals with broad experience and expertise, including in incident response, forensics, threat intelligence, vulnerability management, and mitigation. The Company’s cybersecurity team has processes in place to assess, identify, manage, and address material cybersecurity threats and incidents. These include, among other things: annual and ongoing security awareness training for employees, mechanisms to detect and monitor unusual network and endpoint activity, integrated threat intelligence and containment and incident response tools. The cybersecurity team also leverages multiple third-party security programs for full-time monitoring of security stacks and on-demand support to act as force multipliers in the event of severe or critical security events. Both the Company’s Director of Infrastructure & Security and Vice President of Information Technology have extensive cybersecurity knowledge and skills, with each possessing over 20 years of cybersecurity and related IT security experience. The Director of Infrastructure & Security and the Vice President of Information Technology each remain informed of and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents and risks, including through their regular review of reports prepared by the Company’s Information Security team and the measures implemented by the Company to identify and mitigate cybersecurity risks and related threats. 19 Board of Directors Our Board of Directors oversees our Enterprise Risk Management program, and cybersecurity risks are monitored as a part of the broader program. Our Board has primary responsibility to oversee risks from cybersecurity threats and has designated a specific Director, who possesses significant experience in information technology, as a special liaison (the “Technology Liaison”) between management and the Board of Directors. The Board of Directors as a whole, or through the Technology Liaison, regularly reviews the measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Our Technology Liaison receives quarterly updates from the Director of Infrastructure and Security and the Vice President of Information Technology relating to significant risks, cyber incidents, key performance indicators measuring the effectiveness of the Company’s cybersecurity risk program and other relevant matters. The Technology Liaison regularly briefs the Board on these updates, and the Board also receives periodic briefings on cybersecurity risk as part of the Company’s broader Enterprise Risk Management program. These risks, including current and emerging risks, are regularly evaluated by the Technology Liaison and the Board. In addition to the regular updates to the Technology Liaison, we have protocols by which certain cybersecurity incidents and threats are escalated within the Company and, where appropriate, reported in a timely manner to the Board and Technology Liaison.

Company Information