UNITED NATURAL FOODS INC 10-K Cybersecurity GRC - 2024-10-01

Page last updated on October 1, 2024

UNITED NATURAL FOODS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-01 17:24:26 EDT.

Filings

10-K filed on 2024-10-01

UNITED NATURAL FOODS INC filed a 10-K at 2024-10-01 17:24:26 EDT
Accession Number: 0001020859-24-000045

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have established policies and processes for assessing, identifying and managing risks from cybersecurity threats based on the National Institute of Standards and Technology (“NIST”) cybersecurity framework. Our technology environment is regularly assessed, both internally and through the use of third parties, against the six NIST principles (identify, detect, protect, recover, respond, govern) to oversee and identify the likelihood and impact of risks from cybersecurity threats. Additionally, we apply these principles where appropriate to third-party technology providers. We also utilize third parties to assess the effectiveness of our cybersecurity program on a periodic basis, which includes engaging cybersecurity assessors and cybersecurity experts to assist in the detection, verification and validation of risks from cybersecurity threats, as well as to support associated mitigation plans when necessary. We have a cybersecurity incident response plan in place to assist us in detecting, analyzing, containing, responding to and recovering from cybersecurity incidents. We also maintain cybersecurity insurance coverage to protect against certain potential losses arising from cybersecurity incidents. We have identified and as a result monitor cybersecurity as an enterprise risk of the Company. We have an Information Security Steering Committee that meets quarterly to review the cybersecurity threat landscape, current risks, incidents and program management. We routinely assess the cybersecurity threat landscape, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity or availability of our information systems or any information residing therein. Our Chief Information Security Officer (“CISO”) leads a dedicated cybersecurity team responsible for policy, governance, vulnerability management, architecture and incident response. Our team monitors and tests our cybersecurity policies and procedures through methods such as periodic reviews, targeted assessments and tabletop exercises. All personnel with access to UNFI systems are made aware of our cybersecurity policies and procedures upon hire and through periodic refresher trainings. Such policies and procedures cover areas such as identity and access management, vendor management, data governance and protection, vulnerability management, incident response, recovery, communications and cybersecurity hygiene. We have not experienced any cybersecurity incidents that have materially impacted or are likely to materially impact our business strategy, results of operations or financial condition based on information known to us as of the date of this Annual Report. Although we cannot eliminate all potential threats, our cybersecurity program is operated in a manner to minimize the likelihood of any threat becoming material and to keep pace with a constantly evolving cybersecurity landscape. For more information on risks from cybersecurity threats, refer to the risks described under “Risk Factors” included in Part I, Item 1A in this Annual Report. Governance Board’s Role in Oversight of Risks from Cybersecurity Threats Our Board of Directors has appointed the Audit Committee to assist in fulfilling its responsibilities with respect to the oversight of cybersecurity, data privacy and information technology. Several of our Directors, including certain members of our Audit Committee, have backgrounds or professional experience in risk management, digital platforms, information technology or cybersecurity and meet regularly with members of our management team to advise on cybersecurity matters and technology initiatives. Our Chief Information Officer (“CIO”), CISO and other members of management provide quarterly updates to the Audit Committee and meet with the Board of Directors at least annually regarding risks related to information systems, information security and cybersecurity. Specific topics may include updates to the Company’s strategy to combat cybersecurity risks; cybersecurity news and events; key focus areas; the threat landscape; and the results of certain assessments and testing. Our CIO, CISO or other members of management provide information to the Audit Committee or our Board of Directors, as applicable, pursuant to risk-based escalation protocols for cybersecurity incidents in accordance with an established materiality framework. Management’s Role in Assessing and Managing Material Risks from Cybersecurity Threats The information security function is led by our CISO, under the direction of our CIO. Our CISO, who has been serving in this position since January 2020, has over 20 years of experience in information security and is a Certified Information Systems Security Professional. Our CISO maintains primary responsibility for developing cybersecurity strategies; cybersecurity governance; identifying, assessing and monitoring cybersecurity risks; preparing for and responding to cybersecurity incidents; verification and testing of cybersecurity; and disaster recovery governance. Our CISO may authorize specific Company associates to assist in managing these responsibilities if determined necessary, including the Crisis Response Team. Our CIO and CISO have oversight responsibilities of the Company’s cybersecurity program. We conduct a regular cybersecurity risk assessment process through our CISO and dedicated information security team, which reports to the Information Security Steering Committee. This committee meets at least quarterly to review current program progress and discuss and evaluate risks that could be material to our business, including cybersecurity threats. The Information Security Steering Committee is comprised of key leadership across the Company to support cross-functional representation.

Company Information