EDGEWELL PERSONAL CARE Co 10-K Cybersecurity GRC - 2024-11-14

Page last updated on November 14, 2024

EDGEWELL PERSONAL CARE Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-14 16:25:44 EST.

Filings

10-K filed on 2024-11-14

EDGEWELL PERSONAL CARE Co filed a 10-K at 2024-11-14 16:25:44 EST
Accession Number: 0001628280-24-047916

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We have a cybersecurity program to assess, identify, and manage risks from cybersecurity threats. This includes multiple tools and processes for assessing, identifying, and managing material risks from cybersecurity threats. Our efforts are designed to maintain the confidentiality, integrity, and availability of our information and operational technology systems and the data stored on those systems. The program includes: - Conduct periodic risk assessments to identify cybersecurity risks in our IT systems - Monitor for external threats and manage incident response - Engage third-party security providers for penetration testing and program reviews based on National Institute of Standards and Technology (“NIST”) standards - Perform internal audit reviews of IT-related controls - Assess cybersecurity risks of third-party vendors - Train employees regularly, including phishing simulations The cyber security program is continually adapting to the evolving threat landscape and technology developments. A multi-functional enterprise cyber security and Infrastructure team reviews and assesses top cybersecurity risks. This assessment is shared with members of senior management, including the CFO and Senior Vice President (“SVP”), IT, and helps guide the Company’s cybersecurity operational priorities and strategy. In addition, cybersecurity risks are integrated into the Company’s broader Enterprise Risk Management program and, when identified, are reported to relevant business and governance leaders within the Company for appropriate action. To support the ongoing identification and management of cybersecurity issues, the Company provides information security employee training, conducts global and targeted phishing simulation campaigns and conducts tabletop exercises. The Company also deploys a combination of security tools and experts to help prevent, detect, contain, eradicate and recover from potential cybersecurity issues and cyber-attacks. Further, the Company engages third-party consultants and services for cyber threat intelligence, insights and assessments of its cybersecurity risk posture and governance. The Company’s third-party intake process incorporates cybersecurity risk into the assessment of our third-party vendors when we engage a new vendor or experience a change in relationship with an existing vendor. Further, the Company’s cybersecurity team conducts reviews of its third-party vendors depending on the vendor’s risk profile as determined by its cybersecurity team. As a global company, we manage a variety of cybersecurity threats and cannot wholly eliminate the risk of adverse impacts from such incidents. However, as of the date of this Form 10-K, we have not identified any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of our operations or financial condition. For additional information on the risks from cybersecurity threats that we have faced in the past and expect to continue to face in the future, please refer to the “Risk Factors” in Part I, Item 1A of this Form 10-K. 19 Security Policy and Requirements As part of our overall risk management program, we have adopted our Information Security Policy which details the overall risk-based framework and governance for the management and security of our information technology assets and information. The policy applies to everyone who accesses our data or information resources and all of our information systems and resources, including third parties we engage. Our program aligns with the NIST 2.0 cybersecurity framework. Governance Our Board of Directors are part of the Company’s Cyber Response Task Force and table top simulations. Additionally, the Board of Directors have delegated to the Audit Committee oversight responsibility of our risk management program, including cybersecurity, business continuity, IT operational resilience, and data privacy. The Audit Committee has specific responsibility for reviewing the status of the security of the Company’s electronic data processing information systems related to the Company’s people, assets and information systems. The Audit Committee receives regular updates from the SVP, IT, about information security and systems security programs and plans, including emerging trends and progress on overall enterprise cybersecurity programs and priorities. These updates occur at least two times a year, with interim updates as needed. Additionally, we have protocols by which certain cybersecurity incidents are reported promptly to the Chief Executive Officer, or the Audit Committee, as appropriate. A Cyber dashboard is also provided to the Board of Directors quarterly. Management is responsible for implementing its strategic plans, including identifying, evaluating, managing and mitigating the risks inherent in them, such as cybersecurity risks. Internal Cybersecurity Team The Information Security organization reports into the SVP, IT and includes a dedicated team of centralized information security experts with extensive cybersecurity knowledge and experience to manage the cyber risk under the leadership of the Director of Information Security. The team is responsible for the following: - Implementing Enterprise-wide cybersecurity strategy - Developing and enforcing Cybersecurity Policy - Developing and enforcing Cybersecurity Standards - Approving and reviewing Cybersecurity Architecture - Developing and enforcing Cybersecurity Processes - Developing and testing Cybersecurity Incident response - Performing other Cybersecurity operational activities including but not limited to: ◦ Vulnerability management strategy ◦ Network security configurations ◦ Risk Management and oversight of third parties Incident Response We have adopted a cybersecurity incident response plan that is designed to provide a framework across all functions for a coordinated identification and response to security incidents. The plan specifies the process for identifying, validating, classifying, documenting, and responding to cybersecurity events as well as determining whether reporting of an event is appropriate under regulatory standards. Internal reporting and escalation protocols are in place to ensure the involvement of the SVP, IT, other senior leaders, and the Audit Committee, as appropriate. Under the plan, we conduct tabletop exercises to test our preparedness and our incident response process, and we provide ongoing training. Risk Factors As a global company serving customers in multiple countries and territories, we routinely experience a wide variety of cybersecurity incidents. As of the date of this Form 10-K, we have not experienced a cybersecurity incident that has materially affected or is reasonably likely to materially affect our business strategy, results of operation or financial condition. Additional information on cybersecurity risks we face is discussed in Item 1A, “Risk Factors,” which should be read in conjunction with the information in this section. 20

Company Information