Simply Good Foods Co 10-K Cybersecurity GRC - 2024-10-29

Page last updated on October 29, 2024

Simply Good Foods Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-29 15:11:22 EDT.

Filings

10-K filed on 2024-10-29

Simply Good Foods Co filed a 10-K at 2024-10-29 15:11:22 EDT
Accession Number: 0001702744-24-000089

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Overview and Leadership Our enterprise risk management framework considers cybersecurity risk alongside other risks as part of our overall enterprise risk assessment process. As part of our enterprise risk management, we maintain a comprehensive information technology, data governance and cybersecurity program that leverages people, processes and technology, to support the effectiveness of our information technology systems and identify, prevent and mitigate information technology and data security risks. Our cybersecurity program is aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Our cybersecurity team utilizes a variety of tools, processes and outside resources to continue to evolve and maintain our cybersecurity program’s maturity across the elements of NIST CSF. Our information security program is focused on detecting, identifying, defending against and mitigating the effect of cybersecurity risks to guard our information technology systems and protect the confidentiality, integrity, and availability of our information technology processes and data. Our Board of Directors is responsible for the oversight of cybersecurity risks, including through the delegation of certain cybersecurity oversight authority to the Audit Committee of the Board. Our information security program also addresses cybersecurity risks associated with our use of third-party service providers. We use systems and processes designed to assess, identify and reduce the potential impact of a cybersecurity incident at any of our third-party service providers. We assess information security controls of certain of our third-party service providers as part of our third-party information technology risk due diligence, and we conduct third-party vulnerability analysis regularly. Our information security function and management team is led by our Chief Information Officer, who has approximately 26 years of experience in the information technology area and reports to our Chief Financial Officer and our Director of Infrastructure and Controls. Our Director of Infrastructure and Controls has approximately 20 years of experience in the information technology area. The information security team is responsible for monitoring, managing, assessing and mitigating cybersecurity risks and threats on a day-to-day basis and is responsible for improving and strengthening our cybersecurity environment. As discussed below, the information security team works with nationally recognized third parties and licenses various cybersecurity tools and products to assist with assessing and managing cybersecurity risks. The information security team regularly interacts and discusses cybersecurity matters with our Chief Financial Officer and a member of our Board who serves as the Board’s primary contact on cybersecurity matters as a part of our company-wide risk management system. The information security team has plans and processes in place to escalate certain cybersecurity issues to senior management and the Board or the Audit Committee, including to determine whether, when and how to publicly disclose any material cybersecurity event. In addition, we maintain insurance to help reduce our exposure from potential losses should a cybersecurity incident arise. The information security team undertakes or engages in these practices and activities, among others, as part of the Company’s risk management system: - updating of software and hardware (including firmware) for vulnerabilities and required patches; - regular employee training and education to identify and avoid cybersecurity risks and threats; - developing, implementing and testing incident response and information recovery plans to assess and respond to cybersecurity threats and incidents; - collaborating with our internal audit function and other internal teams for testing cybersecurity controls and procedures; - identifying and managing cybersecurity risks presented by third parties, including cybersecurity vendors, cybersecurity software and hardware providers, other vendors and customers, service providers and other parties with access to our systems and data; and the systems of third parties that could adversely affect our operations or business in the event of a cybersecurity incident affecting those third-party systems; - overseeing threat intelligence systems and notification procedures; and - maintaining technology solutions for cybersecurity prevention and defense, including outside firewalls, multi-factor authentication systems, separate intrusion prevention and detection systems, anti-virus and anti-malware products and remote access controls. Use of Third Parties We have engaged, and intend to continue to engage, nationally recognized third parties to assist us in assessing, among other things: 33 - emerging cybersecurity risks; - threat identification; - threat neutralization; - cybersecurity environment testing; - penetration testing; - phishing and social engineering methods; and - best practices for continued compliance and training. When risks or threats are identified to us by a third party, the information security team is responsible for assessing the risk or threat and determining a course of action to mitigate the risk or neutralize the threat. Effect of Cybersecurity Events While no previous cybersecurity incidents have materially affected the Company, a cybersecurity incident could have a material effect on our results of operations and financial condition. As described above under “Item 1A-Risk Factors - Any inadequacy, failure or interruption of our information technology systems may harm our ability to effectively operate our business, and our business is subject to online security risks, including security breaches and identity theft,” a material cybersecurity incident could disrupt our business, lead to the loss of data or cause us to suffer financial and/or reputational damage, in addition to litigation or remediation costs or penalties. Governance Overview Our Board oversees cybersecurity risk through multiple methods. The Audit Committee of the Board has been delegated certain cybersecurity oversight responsibility and, among other things, receives quarterly updates and presentations from our Chief Information Officer regarding our cybersecurity environment, cybersecurity risks and threats, cybersecurity projects we have implemented and plan to implement and other cybersecurity developments. The chair of the Audit Committee reports to the full Board after each meeting. In addition, our information security team regularly interacts and discusses cybersecurity matters with a member of the Board who serves as the Board’s primary contact on cybersecurity matters as part of our company-wide risk management system. On a quarterly basis, the Board receives a Quarterly Enterprise Risk Assessment Update that typically includes content regarding Information Technology systems and cybersecurity.

Company Information