Oil-Dri Corp of America 10-K Cybersecurity GRC - 2024-10-10

Page last updated on October 10, 2024

Oil-Dri Corp of America reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-10 16:09:15 EDT.

Filings

10-K filed on 2024-10-10

Oil-Dri Corp of America filed a 10-K at 2024-10-10 16:09:15 EDT
Accession Number: 0000074046-24-000061

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C - CYBERSECURITY Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws. We 26 have implemented cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other risk areas. We have also implemented a specific cybersecurity program which adopts a risk management approach to information security, requiring the identification, assessment, and appropriate mitigation of vulnerabilities and threats that can adversely impact our information assets. Our cybersecurity program includes: - A risk assessment process designed to help identify material cybersecurity risks to our critical systems, information, services, and our broader enterprise IT environment; - An information security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; - The use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls; - Cybersecurity awareness training of our employees, incident response personnel, and senior management; - A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and - A third-party risk management process for customers, service providers, suppliers, and vendors. In evaluating the risks identified as a part of the annual assessment process, the Company’s information security team considers the likelihood and severity of the respective risk and the potential impact of the risk on the Company, its customers, and its employees. These risks are then prioritized and monitored by the information security team. The Company conducts periodic testing of software, hardware, defensive capabilities, and other information security systems to assess its cybersecurity readiness and maturity of the cybersecurity program. Tests are conducted by the information security team and reputable third-party consultants and auditors. In developing and evaluating the testing procedures, the Company considers both its individual risks and industry standards. The cybersecurity program includes an incident response plan with a cross-functional team comprised of designated members of the information technology department, senior management, and other appropriate individuals. The team is responsible for assessing and managing the cybersecurity incident response process, as outlined within the incident response plan, and taking necessary corrective actions to mitigate and eliminate the issue. As of the date of this report, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition that are required to be reported in this Form 10-K. For further discussion of the risks associated with cybersecurity incidents and potential impact to the Company, see the cybersecurity risk factors within “Item 1A. Risk Factors” in this Form 10-K. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats. Members of the Audit Committee receive updates on a quarterly basis from management, including leaders from our information security and legal teams regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Our cybersecurity risk management and strategy processes are overseen by leaders from our information security team, such as our Chief Information Officer, Director, Applications Delivery, and our Director of Information Technology. Such individuals have nearly 40, over 30, and over 20 years of experience, respectively, in various roles involving information technology, including infrastructure and operations, security, auditing, compliance, and application development. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the Audit Committee on any appropriate items. 27

Company Information