BELLRING BRANDS, INC. 10-K Cybersecurity GRC - 2024-11-19

Page last updated on November 19, 2024

BELLRING BRANDS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-19 13:18:03 EST.

Filings

10-K filed on 2024-11-19

BELLRING BRANDS, INC. filed a 10-K at 2024-11-19 13:18:03 EST
Accession Number: 0001772016-24-000108

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Overview and Leadership Our enterprise risk management framework addresses cybersecurity risk along with other risks as part of our overall enterprise risk management process. We maintain a comprehensive information technology, data governance and cybersecurity program that leverages people, processes and technology to support our information technology systems and detect, identify, prevent, defend against and mitigate information technology and data security risks. Our cybersecurity program is aligned with the National Institute of Standards and Technology Cybersecurity Framework. This framework encompasses key processes, policies and controls to ensure protection, detection, identification, response and recovery capabilities across our organization. Our information security program also addresses cybersecurity risks associated with our use of third-party service providers, including cybersecurity vendors, cybersecurity software and hardware providers, other vendors and customers, service providers and other parties with access to our systems and data as well as the systems of third parties that could adversely affect our operations or business in the event of a cybersecurity incident affecting those third-party systems. We use systems and processes designed to assess, identify and reduce the potential impact of a cybersecurity incident at any of our third-party service providers. We assess information security controls of certain of our third-party service providers as part of our third-party information technology risk due diligence, and we conduct third-party vulnerability analyses regularly. Information security is integral to our information technology strategy, with accountability embedded at all organizational levels, including our operations, management and Board of Directors. Key elements include: - Managed Detection and Response (“MDR”) & Security Operations Center (“SOC”) : Our operations team employs MDR and a SOC for round-the-clock monitoring of cyber threats and vulnerabilities. - Vulnerability Management : We maintain technology solutions for cybersecurity prevention and defense, including outside firewalls, multi-factor authentication systems, separate intrusion prevention and detection systems, anti-virus and anti-malware products and remote access controls. Continuous vulnerability scoring helps us address emerging risks objectively and proactively. - Incident Response : Security incidents are managed through established protocols, with escalations to senior management to assess materiality and disclosure requirements. Our information security team develops, implements and regularly tests incident response and information recovery plans designed to assess and respond to cybersecurity threats and incidents. - Board Oversight : The Audit Committee of our Board of Directors is responsible for the oversight of cybersecurity risks. It receives regular updates and presentations on our cybersecurity environment, including strategies, processes and policies, cybersecurity incidents, risks and threats, cybersecurity projects we have implemented and plan to implement and other cybersecurity developments and industry trends. These updates are led by our Chief Information Officer, a seasoned information technology professional with over 20 years of experience, supported by a dedicated security team. The chair of the Audit Committee reports to the full Board of Directors after each meeting. - Risk Management : Cybersecurity risks are either mitigated or documented in a risk register for non-material risks. Non-material risks are reviewed periodically to ensure continuous improvement and timely resolution. In addition, we maintain insurance to help reduce our exposure from potential losses should a cybersecurity incident arise. Use of Third Parties We collaborate with, and intend to continue to collaborate with, nationally recognized third-party experts for specialized security functions in rapidly evolving areas. This partnership approach enables us to leverage advanced expertise in threat identification, penetration testing, tabletop exercises, maturity assessments, training, awareness and incident response. We routinely evaluate third-party certifications (such as SOC and Insurance Services Office reports) for applications within the scope of our financial audits, supplementing these with bridge letters and internal controls when necessary. Additionally, our security team uses advanced software to assess third-party security postures, providing maturity scores that inform risk management and foster continuous improvement throughout our partnerships. Training and Preparedness The Company mandates ongoing cybersecurity training for all employees, covering a broad range of relevant topics. High-risk roles receive additional specialized training. We conduct regular phishing and social engineering simulations, with organization-wide reporting of results. Leadership teams also participate in annual tabletop exercises (simulated security incidents) to reinforce preparedness and refine our response plan. In addition, we maintain cybersecurity insurance to provide an added layer of protection and support in the event of a significant cybersecurity incident. Effect of Cybersecurity Events While no previous cybersecurity incidents have materially affected the Company, a cybersecurity incident could have a material effect on our results of operations and financial condition. As described above under “Item 1A-Risk Factors - Technology failures, cybersecurity incidents and corruption of our data privacy protections could disrupt our operations and negatively impact our business,” a material cybersecurity incident could disrupt our business, lead to the loss of data or cause us to suffer financial and/or reputational damage, in addition to litigation or remediation costs or penalties.

Company Information