CAMPBELL SOUP CO 10-K Cybersecurity GRC - 2024-09-19

Page last updated on September 19, 2024

CAMPBELL SOUP CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-19 07:21:47 EDT.

Filings

10-K filed on 2024-09-19

CAMPBELL SOUP CO filed a 10-K at 2024-09-19 07:21:47 EDT
Accession Number: 0000016732-24-000130

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Enterprise risk management (ERM) is an integral part of our business processes and our ERM framework considers cybersecurity risk, alongside other company risks, as part of our overall risk assessment process. We follow an industry-leading 15 National Institute of Standards and Technology cybersecurity framework (NIST CSF) and have developed a comprehensive information security program for assessing, identifying and managing cybersecurity risks that is designed to protect our systems and data from unauthorized access, use or other security impact. As part of our information security program, we continuously monitor and update our information technology networks and infrastructure. We have dedicated internal legal, compliance and information security teams, and leverage consultants and third-party service providers to inform our understanding of the threat landscape and to identify, prevent, detect, address and mitigate risks associated with unauthorized access, misuse, computer viruses and other events that could have a security impact. Our information security strategy focuses on complying with applicable data privacy and protection laws, maintaining the availability of our manufacturing operations, protecting data, detecting and responding to threats, building resiliency and providing a secure foundation for growth and innovation. We invest in industry standard security technology to protect the company’s data and business processes against risk of cybersecurity incidents. Our data security management program includes identity, trust, vulnerability and threat management business processes, as well as adoption of standard data protection policies. We measure our data security effectiveness by benchmarking against industry-accepted methods, presenting the results to our Board and Audit Committee for evaluation, and making improvements based on such evaluation. We maintain and routinely test backup systems and disaster recovery and also have processes in place to prevent disruptions resulting from our implementation of new software and systems. We maintain a third-party cyber risk management process to review and monitor critical suppliers regularly for cybersecurity risk and prescribe remediation activities when necessary. We train our employees through annual security training, phishing simulations and regular communications about timely security topics to enhance their understanding of cybersecurity threats and their ability to identify and escalate potential cybersecurity events. We have a cross-functional crisis management team comprised of business unit and functional leaders and a crisis management plan that includes procedures for identifying, containing and responding to cybersecurity incidents. We engage third-party cybersecurity experts to conduct tabletop exercises with our executive leadership to enhance incident response preparedness. Our cybersecurity risk management strategy includes the use of cybersecurity insurance that provides protection against certain potential losses arising from certain cybersecurity incidents; however, such insurance may not insure us against all claims related to security breaches, cyberattacks and other related breaches. The company has previously experienced threats and breaches to its data and systems but has not experienced a breach that had a material impact on its operations or business and has not incurred any material breach-related expenses for the year ended July 28, 2024 that are reasonably likely to materially affect the company or its business strategy, results of operations or financial condition. However, as discussed in “Item 1A. Risk Factors,” specifically the risks under the heading, “We may be adversely impacted by a disruption, failure or security breach of our information technology systems,” cyber threats are constantly evolving and becoming more frequent and sophisticated. Accordingly, no matter how well designed or implemented the company’s information security policies and procedures are, there can be no assurance that these policies and procedures will prevent or limit the impact of a cybersecurity incident. Cybersecurity Governance We have established oversight mechanisms intended to provide effective cybersecurity governance, risk management, and timely incident response. Our Board, in coordination with the Audit Committee, oversees the company’s ERM process, including the management of risks arising from cybersecurity threats. Our Board annually reviews assessments of our information security program under the NIST CSF. It receives benchmarking results of our data security effectiveness and reports from our Chief Technology & Information Officer (CTIO) and Chief Information Security Officer (CISO) on our information security program and recent developments. Our Board has delegated the primary responsibility to oversee cybersecurity matters to the Audit Committee. To fulfill its oversight responsibilities, the Audit Committee reviews the measures implemented by the company to identify and mitigate cybersecurity risks and receives quarterly updates from our CTIO and CISO on the information security program, including the status of significant cybersecurity incidences, the emerging threat landscape, and the status of projects to strengthen the company’s information security posture. The Audit Committee regularly reports to the Board on cybersecurity matters. In addition, we have a crisis management plan and protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated within the company and, where appropriate, reported promptly to the Audit Committee or Board, with ongoing updates regarding any such incident until it has been addressed. Our risk oversight processes and disclosure controls and procedures are designed to escalate key risks for the Board to analyze for disclosure purposes. Our CTIO, a member of our corporate leadership team, oversees the team responsible for leading the enterprise-wide information technology strategy, policy, standards, architecture, and processes. Our CISO, who reports to the CTIO, oversees the dedicated information security team, which works in partnership with the company’s ERM team and corporate audit department as well as consultants as part of an overall internal controls process to monitor cybersecurity threats and prevent, detect, mitigate and remediate cybersecurity incidents. The CTIO has over 35 years of information technology experience, 16 including serving in strategic planning, oversight and global operation of information systems and technology functions for companies in the food and beverage industries. The CISO has over 25 years of information technology experience, including strategy, execution, and operations of enterprise-wide security programs, including cybersecurity programs, and global information technology infrastructure programs.

Company Information