Post Holdings, Inc. 10-K Cybersecurity GRC - 2024-11-15

Page last updated on November 15, 2024

Post Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-15 10:59:02 EST.

Filings

10-K filed on 2024-11-15

Post Holdings, Inc. filed a 10-K at 2024-11-15 10:59:02 EST
Accession Number: 0001530950-24-000365

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Cybersecurity risk management is a critical component of our overall risk management. Given our decentralized and adaptive operating model, each of our businesses is responsible for implementing and managing its own cybersecurity program, following our established enterprise-wide standards and strategy and using the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”), which outlines industry-wide best practices addressing the components of a cybersecurity program. We utilize a third party to routinely assess the alignment of the cybersecurity programs across our organization with the NIST CSF and the program maturity in each of the included objectives. The results of these assessments are used to develop a risk-informed approach to our prioritization and allocation of resources and investment. We employ industry standard security controls and technologies to protect our information technology (“IT”) environment and to monitor for and detect anomalous activity. Our IT security controls and technologies are designed to protect the confidentiality, integrity and availability of our processes and systems. Across our organization, our IT security architecture and controls are designed using a risk-based approach that takes into account the effectiveness of the controls, the likelihood and severity of the risk, the current threat landscape, known industry-specific threats and the likely impact of a breach with and without the respective controls. Our controls and technologies are evaluated regularly for their relevancy to the current threat landscape. We retain a risk register to catalog known risks and assess their potential impact on our organization, enabling our proactive management of such risks and the development and implementation of mitigation strategies. We also utilize independent third parties to perform annual penetration tests at each of our businesses, allowing us to internally and externally test the controls in our facilities, networks, devices and cloud environments. In addition, we maintain and test backup and recovery systems and disaster recovery of our critical systems that are required to support our core business operations. Our Company depends on third-party technology providers that are critical to our business operations through software, services, solutions and hosting. We utilize programs to assess the controls of these providers in an effort to reduce the likelihood of potential impacts to the confidentiality, integrity and availability of our systems. We also design our systems and the ways such providers may access our systems to limit their ability to impact our operations or systems beyond what they require. In addition, for third parties that may hold our information on their own systems, we implement processes to gather information about how such third parties secure their systems, which may include obtaining and reviewing attestations and reports from the third parties. To help raise employee awareness of current cybersecurity threats and tactics, in particular social engineering, we provide training to our employees so that they can help identify risks and protect our organization. Through annual training, monthly phishing simulation tests, newsletters and other information postings, we educate our employees and reinforce our processes to report any suspicious activity. In the event of a cybersecurity incident, our businesses maintain incident response plans meeting certain enterprise-established standards. Such incident response plans address the roles and responsibilities of personnel across our enterprise, required steps to take in response to an incident, incident communications plans, designated contacts for outlined response activities and playbooks to guide responses to certain common types of threats that we face. These incident response plans are reviewed and updated at least annually, with table-top exercises performed at least annually. We also have established relationships with various third-party experts and advisors to provide support in the event of a cybersecurity incident. In addition, we maintain insurance coverage that, subject to its terms and conditions, is intended to address costs associated with certain aspects of cybersecurity incidents. In conjunction with our incident response plans, we also have a process to assess whether a cybersecurity incident triggers applicable regulatory reporting obligations. We (or third parties we rely upon) may not be able to fully, continuously and effectively implement security controls as intended, or the controls we implement may be inadequate or fail to address a particular risk. For further discussion of these risks, see “Risk Factors - Business and Operating Risks - Technology failures or cybersecurity incidents could disrupt our operations and negatively impact our businesses” in Item 1A of this report. While we are regularly targeted by cybersecurity threats, including cybersecurity attacks, ransomware and other cybersecurity breaches, and we expect them to continue in the future, during the year ended September 30, 2024, we did not identify any risks from cybersecurity threats that materially impacted or are reasonably likely to materially impact us. Governance Various individuals and teams throughout our organization are responsible for the oversight and management of cybersecurity risk for our organization. Board of Directors Oversight The Audit Committee of our Board of Directors has overall responsibility for the oversight of cybersecurity risk. The Audit Committee receives updates, on at least a quarterly basis, from our Chief Information Officer (the “CIO”) and our Chief Information Security Officer (the “CISO”) regarding our enterprise-wide cybersecurity program, which may address a range of topics, including the health, efficacy and maturity of our cybersecurity programs, the results of various assessments periodically performed on our IT environment, emerging threats and trends and cybersecurity events. Management Oversight Our CISO, who reports to our CIO, has overall responsibility for our enterprise-wide cybersecurity activities. The CISO is responsible for establishing the strategy, architecture, policies, procedures and standards related to cybersecurity across our organization. Each business then has a Security Lead, who reports to that business’s IT leadership, responsible for the strategy, implementation and operation of that business’s cybersecurity program (collectively, our CISO, CIO and the Security Leads are referred to as our “Security Team”). Our CISO holds a master’s degree in information systems and has over twenty-two years of IT experience, including eight years of experience dedicated to cybersecurity and IT risk management. Having spent over twelve years at Post in various IT capacities, including approximately four years as the head of cybersecurity, his extensive knowledge of our IT systems and controls is instrumental in safeguarding our digital infrastructure. Our CIO’s background encompasses approximately twenty-six years of IT experience, including approximately six years of cybersecurity and risk management oversight, and approximately six years in supply chain and business transformation leadership. This includes over thirty years in various roles of increasing responsibility at Bob Evans, which Post acquired in 2018, ultimately serving as the CIO of Bob Evans for approximately four years before becoming our CIO in 2022. His broad knowledge and significant experience enable him to have a holistic risk management view across our organization. In addition, members of our Security Team participate in industry specific organizations that allow us to share information about threats and risks facing our industry, share best practices across our industry and work together to find opportunities to strengthen our industry. Members of our Security Team also have established and maintain relationships with governmental entities, which have helped inform our cybersecurity incident response planning and the protection of our IT environment. Our Security Council, comprised of the Security Leads from each business and led by our CISO, meets on a monthly basis to discuss emerging trends and threats, share cybersecurity practices across our organization and discuss potential issues. Our Enterprise Security Risk Group (the “ESRG”), which is comprised of a cross functional group of leaders from our organization representing legal, finance, human resources, compliance and internal audit and is led by the CISO, meets at least quarterly to review cybersecurity program performance, cybersecurity risks, progress on projects and risk remediation activities. In addition, the Security Leads report on their cybersecurity programs to the CISO and the ESRG on a quarterly basis.

Company Information