CHS INC 10-K Cybersecurity GRC - 2024-11-06

Page last updated on November 6, 2024

CHS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-06 12:00:49 EST.

Filings

10-K filed on 2024-11-06

CHS INC filed a 10-K at 2024-11-06 12:00:49 EST
Accession Number: 0000823277-24-000046

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have established processes for identifying, assessing and managing material risks from cybersecurity threats associated with our key information technology systems. These processes have been integrated into our overall risk management strategies, as overseen by our Board of Directors, primarily through the board’s Corporate Risk Committee and Audit Committee. These processes also include identifying and overseeing risks from cybersecurity threats associated with the use of third-party service providers. We conduct security assessments of certain third-party providers before engagement and have established monitoring procedures to mitigate risks related to data breaches or other security incidents originating from third parties. In addition, we conduct employee training on information security topics designed to address phishing and e-mail security, password security and data-handling security. We use e-mail security, endpoint security, logging and monitoring, remote access, application security and other tools to deter threat actors, block malicious/phishing e-mails and avoid IT system interruptions. From time to time, we engage third-party consultants, legal advisors, and audit firms to evaluate and test our risk management systems and assess and remediate cybersecurity threats and incidents as appropriate. Additionally, our Enterprise Risk Management (“ERM”) team analyzes cybersecurity risks, emerging industry trends and identification of mitigation, as part of a holistic analysis of risks across CHS. Governance Management Under the oversight of the Corporate Risk Committee of our Board of Directors, the chief information officer (“CIO”) and chief information security officer (“CISO”) are primarily responsible for assessment and management of material cybersecurity risks, with the CIO being responsible for strategic direction and management of information technology systems and the CISO being responsible for security of such systems, as described further below. The CIO has more than 30 years of experience with global technology organizations across multiple industries. The CISO has more than 20 years of experience in information security, risk management and compliance and is a certified information systems security professional. The CIO and CISO are also supported by an incident response team (“IRT”) comprised of selected members of senior management and responsible for providing cross-functional support and response facilitation for cybersecurity incidents. Our CISO oversees our cybersecurity incident response plan and related processes that are designed to assess and manage material risks from cybersecurity threats, including aligning programs with industry standards, conducting tabletop exercises, providing education/training and taking other preventive measures. Our CISO coordinates with legal counsel and third party experts to assess and manage material risks from cybersecurity threats. Our CISO is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents pursuant to criteria set forth in our incident response plan and related processes. Our CISO or a delegate informs the IRT of cybersecurity incidents that may potentially be determined to be material pursuant to escalation criteria set forth in our incident response plan and related processes. The CISO, in collaboration with legal counsel, is primarily responsible for advising our chief executive officer (“CEO”) and chief financial officer (“CFO”) regarding cybersecurity disclosures in public filings. The CISO also notifies the Audit Committee chair of any material cybersecurity incident. As of the date of this Annual Report on Form 10-K, we have not detected any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations or financial condition. For further discussion of the risks associated with cybersecurity incidents, refer to Item 1A. Risk Factors in this Annual Report on Form 10-K. Board of Directors The Corporate Risk Committee of our Board of Directors oversees our information technology systems, including information security, compliance and privacy. Additionally, the Audit Committee of our Board of Directors oversees adequacy and effectiveness of our controls and procedures, including those designed to assess, identify and manage material risks from cybersecurity threats and incidents. Further, at least once per quarter, our CIO and/or CISO report on cybersecurity matters to the Corporate Risk Committee, and updates are provided to our Board of Directors at regular board meetings. The CIO also provides updates annually or more frequently as appropriate to our Board of Directors. Our ERM team reports annually on the company’s risks to our Board of Directors, which includes progress related to mitigation activities and risk conditions.

Company Information