Duckhorn Portfolio, Inc. 10-K Cybersecurity GRC - 2024-10-07

Page last updated on October 7, 2024

Duckhorn Portfolio, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-07 16:30:56 EDT.

Filings

10-K filed on 2024-10-07

Duckhorn Portfolio, Inc. filed a 10-K at 2024-10-07 16:30:56 EDT
Accession Number: 0001835256-24-000040

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company recognizes the importance of developing, implementing and maintaining cybersecurity measures designed to safeguard our information systems and protect the confidentiality, integrity and availability of our data. The Company employs a holistic process for overseeing and managing cybersecurity and information security risks, which is supported by management, the Audit Committee and the Board. Cybersecurity Risk Management and Strategy We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This includes, among other initiatives, annual and ongoing security awareness training for employees, mechanisms to detect and monitor unusual network and endpoint activity, integrated threat intelligence and containment and incident response tools. Our information security program is managed by our Vice President, Information Technology (“VPIT”), whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes. The VPIT reports directly to the Chief Financial Officer (“CFO”), who provides quarterly reports to our Audit Committee and periodic reports to our Board, as well as our Chief Executive Officer and other members of our executive team, as appropriate. These reports include updates on the Company’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program and the emerging threat landscape. Our program is regularly evaluated by internal and external experts with the results of those reviews also reported by the VPIT to the CFO and, subsequently, to our executive team, Board and Audit Committee, as appropriate. We also actively engage with key third-party vendors, industry participants, and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures. The Company’s approach to cybersecurity risk management includes the following key elements: Multi-Layered Defense and Continuous Monitoring. The Company employs various approaches to protect its computing environments and products from cybersecurity threats through multi-layered defenses and apply lessons learned from its defense and monitoring efforts to proactively prevent future attacks. The Company’s internal cybersecurity team and third-party security services provide comprehensive cyber threat detection and response capabilities and maintain a full-time monitoring system which complements the technology, processes and threat detection techniques we use to monitor, manage and mitigate cybersecurity threats. From time to time, the Company engages third-party consultants or other advisors to assist in assessing, identifying and/or managing cybersecurity threats. Third-Party Risk Assessments. The Company engages with a range of external experts, including cybersecurity assessors, consultants, legal advisors and auditors in evaluating and testing potential threats to Duckhorn systems. Our collaboration with these parties includes regular reporting, threat assessments and consultation on security enhancements. Training and Awareness. The Company’s cybersecurity team provides periodic awareness training to our employees to help identify, avoid and mitigate cybersecurity threats. Employees with network access participate annually in required trainings, which cover timely and relevant topics, including social engineering, phishing, password protection, confidential data protection, asset use and mobile security and educate employees on the importance of reporting all incidents promptly to the Company’s centrally managed cyber defense and security operations teams. The Company also periodically hosts tabletop exercises with management and other employees to practice rapid cyber incident response. Supplier Engagement. The Company requires its suppliers to comply with its standard information security terms and conditions as a condition of doing business with us. Certain suppliers are also required to complete information security questionnaires to review and assess any potential cyber-related risks depending on the nature of services provided. The Company allows its suppliers limited and monitored access to certain of its networks and systems. Incident Response Plan. The Company’s cybersecurity team, overseen by our VPIT, implements and oversees processes for the monitoring of our information systems. This includes the deployment of security measures and system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, we deploy an Incident Response Plan, which includes migrating actions, stakeholder engagement and long-term strategies for remediation and prevention of future incidents. As of the date of this report, we have not experienced a cybersecurity incident that resulted in a material effect on our business strategy, results of operations, or financial condition, but we cannot provide assurance that we will not be materially affected in the future by such risks or any future material incidents. For more information, see Item 1A. Risk Factors. Cybersecurity Governance and Oversight The Company’s cybersecurity risk management program is supervised by our VPIT, who reports directly to the Company’s CFO. The VPIT and his team are responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes. Our current VPIT has over 20 years of experience in the IT industry and more than 13 years of dedicated service to The Duckhorn Portfolio, where he has played a pivotal role in shaping the company’s IT infrastructure and security posture. He brings expertise in Sarbanes-Oxley compliance and is supported by a team of seasoned IT professionals. The Duckhorn Portfolio Cybersecurity Policy outlines our processes for determining, assessing the materiality of, monitoring and responding to cyber security incidents. The VPIT, CFO and Chief Strategy and Legal Officer, in conjunction with outside counsel and consultants, review the materiality and disclosure of any cyber security incidents, which ultimately are reviewed by the Company’s Disclosure Committee and Audit Committee. The Company’s Incident Response Team, overseen by our VPIT, is primarily responsible for implementing our Incident Response Plan for assessing, identifying, communicating and managing cybersecurity threats, incidents and risks. The Incident Response Team manages cybersecurity incidents and drives awareness, ownership and alignment across broad governance and risk stakeholder groups. The Incident Response Team consists of IT team members (management, infrastructure and cybersecurity) and, as appropriate, senior leaders from our legal, finance and other internal departments, who may engage external subject matter experts, if required. The Incident Response Team is responsible for overseeing and validating the Company’s cybersecurity strategic direction, risks and threats, priorities, resource allocation, capabilities and planning. The Incident Response Team typically operates under the authority of the Company’s executive team and in alignment with Duckhorn’s Risk Steering Committee, a cross-functional management committee that oversees and provides strategic direction for Duckhorn’s Enterprise Risk Management program. The Audit Committee of the Board of Directors is charged with oversight of cybersecurity matters and receives quarterly reports from the VPIT and/or CFO regarding, among other things, the Company’s cyber risks and threats, the status of projects to strengthen the Company’s information security systems, assessments of the Company’s security program and the emerging threat landscape. The Audit Committee also conducts a semiannual review of our cybersecurity posture and the effectiveness of our risk management strategies. The Chair of the Audit Committee regularly briefs the full Board on matters of cyber security. The Board also periodically receives cybersecurity updates directly from management.

Company Information