J&J SNACK FOODS CORP 10-K Cybersecurity GRC - 2024-11-26

Page last updated on November 26, 2024

J&J SNACK FOODS CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-26 17:00:49 EST.

Filings

10-K filed on 2024-11-26

J&J SNACK FOODS CORP filed a 10-K at 2024-11-26 17:00:49 EST
Accession Number: 0001437749-24-036279

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Our enterprise risk management process includes an evaluation of cybersecurity risk together with other company risks. The Company has established a cybersecurity risk management program (the “program”) designed to assess, identify, and manage material cybersecurity risks. Our program is designed based on industry best practices and is aligned with the core components of frameworks established by the National Institute of Standards and Technology (NIST), Center for Internet Security (CIS) and International Organization for Standardization (ISO). An annual risk assessment is performed to identify internal and external cybersecurity threats and vulnerabilities, assess the likelihood and potential impact of such threats and vulnerabilities, and prioritize the risks from such threats and vulnerabilities. The results of the risk assessment, along with professional judgment, are used to develop and implement cybersecurity risk mitigation strategies and controls. Our program includes: ● A cybersecurity incident response plan that outlines a structured approach to investigating, containing, documenting, and mitigating cybersecurity incidents, including reporting findings and keeping senior management, the Audit Committee, and other key stakeholders informed and involved as appropriate; ● Annual external penetration testing to identify vulnerabilities, assess perimeter security, improve incident response, and strengthen security policies and procedures; ● Regular phishing, social engineering, and cybersecurity awareness training for employees with access to the Company’s information technology environment; ● Annual tabletop exercises to test incident response plans, improve communication and coordination between relevant employees, and identify gaps to inform needed adjustments to plans; ● Ongoing risk assessments of third-party service providers designed to ensure they meet the Company’s standards for reliability, security, compliance, and performance. Third-party service providers are used in various capacities as part of our cybersecurity risk management program, including performing risk mitigation controls and providing cloud-based, cybersecurity services and platforms. For example, third-party service providers are used to conduct our external penetration testing, as well as assist the Company in detecting, responding, and mitigating cybersecurity incidents. The Company uses a variety of processes to oversee and identify material risks from cybersecurity threats associated with the use of third-party service providers. Third-party service providers are required to complete a detailed questionnaire, which is used to identify and assess material cybersecurity risks. In addition, the Company performs an annual review of independent attestation reports of the third-party service providers’ control environments designed to ensure that the controls meet Company security requirements and that any identified issues in the independent attestation reports do not present material cybersecurity risks to the Company. 16 To date, we have not identified any cybersecurity threats or incidents which have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition; however, there is no guarantee that we will not be the subject of future successful cybersecurity threats or incidents that may materially and adversely affect the Company, including its business strategy, financial condition, results of operations or prospects. Additional information on cybersecurity-related risks is discussed under the heading “Risks Associated with our Information Technology Systems” under Item 1A, which should be read in conjunction with Item 1C. Cybersecurity Governance Our Board of Directors has delegated oversight responsibilities for enterprise risk, including cybersecurity risk, to the Audit Committee. The Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”) provide periodic updates to the Audit Committee regarding the Company’s cybersecurity risk management program. The Company has a cybersecurity incident response plan that includes a process to evaluate cybersecurity incidents for materiality. The escalation protocol includes reporting potentially material cybersecurity incidents to senior members of management for further evaluation. Any cybersecurity incident determined to have a material impact on the Company is timely reported to the Audit Committee. The CISO has primary responsibility for the development, operation, and maintenance of our cybersecurity risk management program. Our CISO has 25 years of experience in information technology and cybersecurity generally, which has been gained from a combination of education, including relevant degrees, and prior work experience.
Item 1C. Cybersecurity Governance Our Board of Directors has delegated oversight responsibilities for enterprise risk, including cybersecurity risk, to the Audit Committee. The Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”) provide periodic updates to the Audit Committee regarding the Company’s cybersecurity risk management program. The Company has a cybersecurity incident response plan that includes a process to evaluate cybersecurity incidents for materiality. The escalation protocol includes reporting potentially material cybersecurity incidents to senior members of management for further evaluation. Any cybersecurity incident determined to have a material impact on the Company is timely reported to the Audit Committee. The CISO has primary responsibility for the development, operation, and maintenance of our cybersecurity risk management program. Our CISO has 25 years of experience in information technology and cybersecurity generally, which has been gained from a combination of education, including relevant degrees, and prior work experience.

Company Information