Spectrum Brands Holdings, Inc. 10-K Cybersecurity GRC - 2024-11-15

Page last updated on November 15, 2024

Spectrum Brands Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-15 10:45:17 EST.

Filings

10-K filed on 2024-11-15

Spectrum Brands Holdings, Inc. filed a 10-K at 2024-11-15 10:45:17 EST
Accession Number: 0000109177-24-000047

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk management and strategy. We have developed and implemented an enterprise-wide cybersecurity program designed to provide a structured and thorough cybersecurity risk management system and governance structure to assess, identify, and manage material risks from cybersecurity threats. The Company considers the following factors, among others, to assess whether adequate protections are in place to address risks from known and anticipated cybersecurity threats: likelihood and severity of risk, impact on the Company and others, including retail customers, suppliers, consumers, and/or employees, if a risk materializes; feasibility and cost of controls; and impact of controls on our operations. Our cybersecurity program is aligned with various frameworks for managing cybersecurity risks, such as the National Institute of Standards and Technology Cyber Security Framework for IT systems and International Electrotechnical Commission 62443 which governs cybersecurity for Industrial Control Systems. Our cybersecurity program prioritizes, among other things, prevention of unauthorized access; protection of sensitive information; detection, assessment, and response to cyber threats; and continuous improvements to our cybersecurity measures. We seek to achieve our cybersecurity program priorities through a multi-pronged and -tiered approach to address cyber threats and incidents that includes implementation of various industry best practices, proactive monitoring of our IT systems, ongoing employee training, and regular risk assessments. We also maintain cyber insurance coverage to help mitigate a portion of the potential costs in the event of covered events. As part of the cybersecurity risk management program, the Company utilizes cybersecurity assessors, consultants, auditors, and other third parties to assist the internal team with network security, cloud security, endpoint security, data loss prevention, and security information and event management. In addition, the Company utilizes a variety of third-party technology, information systems, and service providers to help identify, isolate, and mitigate security incidents. The Information Security team retains external cybersecurity firms to review and provide feedback on improving our cybersecurity program, including in the areas of data protection, threat and vulnerability management, and end-point protection. Tabletop exercises are conducted to prepare for potential cyber incidents and assess preparedness and processes. Cybersecurity training is provided to users of the Company technology resources, regular simulated exercises are conducted to help recognize phishing emails and other social engineering tactics and provide various methods for users to report suspicious activity that may give rise to a cyber incident or threat. Significant results of such testing and reviews are communicated to our executive management team and our Audit Committee, as applicable, and are utilized in our cybersecurity program’s continuous improvement process. In response to the growing risks associated with third-party service providers, we have established review processes for assessing the technological and information security controls of our third-party suppliers to attempt to identify material cybersecurity risks associated with such providers, their IT systems, and their access to our IT systems that could significantly disrupt our operations. These processes encompass a range of measures, such as pre-engagement cybersecurity due diligence for providers who access our IT systems or information before their engagement, ongoing monitoring and evaluation of our providers, detailed examination of available System and Organization Controls attestation reports, and inclusion of relevant contractual provisions in our agreements with third-party service providers with respect to areas including cyber protections, notifications, auditing, and risk allocation. To support incident response preparedness, the Company has developed a cybersecurity incident response plan and conducts an annual simulated incident exercise. The cybersecurity incident response plan addresses cybersecurity incidents that directly impact the Company or arise from the Company’s use of third-party technology, information systems, and service providers. The Company also utilizes business continuity and disaster recovery plans to prepare for potential disruptions in technology that the Company relies upon. Further, the Company monitors novel and advanced cybersecurity threats and provides ongoing employee security awareness training. Cybersecurity governance Our Board of Directors oversees the management of risks inherent in the operation of our business, with a focus on the most significant risks that we face, including those related to cybersecurity. The Board of Directors has delegated oversight of cybersecurity, including privacy and information security, as well as enterprise risk management to the Audit Committee. In connection with that oversight responsibility, our CIO provides the Audit Committee and the senior executive management team of the Company information and updates on a range of cybersecurity topics which may include our cybersecurity program and governance processes; cyber risk monitoring and management; the status of projects to strengthen our cybersecurity and privacy capabilities; recent significant incidents or threats impacting our operations, industry, or third-party suppliers; and the emerging threat landscape. Our head of Internal Audit also meets with our executive management team and the Audit Committee on a quarterly basis and reports on processes and activities, including applicable cyber risk management, pertinent to enterprise risk management. Our enterprise-wide cybersecurity program is managed by a dedicated information security team, led by our CIO. Our CIO has more than 25 years of technology experience across various disciplines, including nearly 15 years of experience as a CISO in the financial, manufacturing, and the consumer packaged goods industries. He has led our global information security organization for almost four years. In addition to his employment experience in the cybersecurity field, our CIO has a Master of Computer Systems and a Bachelor’s Degree in Accounting, and he has served on corporate and industry advisory boards related to cybersecurity, all of which have provided him with skills and experience to manage our global information security function. Our CIO regularly meets with other members of our executive team and provides relevant updates on our cybersecurity program. Material Cybersecurity Risks, Threats & Incidents We actively monitor the evolving cybersecurity and geopolitical landscapes that could result in new or increased cybersecurity threat. As a global company, we routinely experience the threat of a wide variety of cybersecurity incidents. In the last three (3) fiscal years, the Company has not experienced any material cybersecurity incidents, and expenses incurred from non-material cybersecurity incidents were minimal. However, despite our significant cybersecurity protocols and governance, we cannot assure that we will not experience any such event in the future. Any security breach or other significant disruption involving our computer networks and related systems could cause substantial costs and other negative effects, including litigation, remediation costs, costs to deploy additional protection strategies, compromising of confidential information, and reputational damage adversely affecting investor confidence. Further, a penetration of our systems or a third-party’s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputation risk, which could have a negative effect on our business, financial condition and results of operations. See Item 1A. Risk Factors for further details on risks related to potential breaches of our information technology systems. Incident Response A cybersecurity incident response plan is in place that is designed to provide a framework across all functions for a coordinated identification and response to security incidents. The plan specifies the process for identifying, validating, classifying, documenting, and responding to cybersecurity events as well as determining whether reporting of an event is appropriate under regulatory standards. The plan also includes a materiality assessment framework that sets forth procedures to support our assessment of whether a security incident is “material” under the federal securities laws. Internal reporting and escalation protocols are in place to ensure the involvement of the CIO, other senior executive leaders, and the Audit Committee, as appropriate. Under the plan, regular tabletop exercises are conducted to test preparedness and incident response processes and provide ongoing training.

Company Information