SCOTTS MIRACLE-GRO CO 10-K Cybersecurity GRC - 2024-11-26

Page last updated on November 26, 2024

SCOTTS MIRACLE-GRO CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-26 07:33:42 EST.

Filings

10-K filed on 2024-11-26

SCOTTS MIRACLE-GRO CO filed a 10-K at 2024-11-26 07:33:42 EST
Accession Number: 0001546380-24-000043

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Cybersecurity risk was identified as a significant enterprise risk based on the results of our most recent enterprise risk assessment. As a significant enterprise risk, management has worked to identify the underlying drivers of cybersecurity risk, identify the activities in place to manage it, and assess its residual risk level. We have developed and implemented comprehensive strategies and processes to assess, identify, manage and mitigate cybersecurity risks, aligning with the National Institute of Standards and Technology Cybersecurity Framework (“NIST-CSF”). These processes include: - implementing security event monitoring, incident response processes, access management controls, vulnerability identification and remediation, third-party risk monitoring, and user awareness and training; - providing regular security training and awareness content for all associates, with mandatory training for new hires; - maintaining cybersecurity risk insurance to mitigate potential breach-related costs; - engaging consultants to perform periodic external assessments using industry-recognized frameworks like NIST-CSF; and - monitoring program maturity through periodic reviews against the Capability Maturity Model Integration framework. Mitigating Risks Posed by Third Parties Risk Assessments We identify and categorize existing third-party service providers based on criticality to our operations and prioritize those that pose the highest risks. We leverage a third-party risk management solution to facilitate our risk assessment process for new third parties which includes interviews and questionnaires with internal business contacts and contacts from the third party to perform an inherent risk assessment. We determine applicable security controls based on the inherent risk level to drive the residual risk score to an acceptable level where possible. The goal of the assessment process is to evaluate the risks associated with each third party, including operational, financial, legal, and reputational risks. Ongoing Monitoring Based on the residual risk score of a third party, we conduct assessments on a periodic basis to help ensure that we maintain current, up-to-date information on our vendors. We leverage an external third-party monitoring service to conduct continuous monitoring of our critical vendors to provide additional visibility and response efforts and work directly with vendors to remediate identified vulnerabilities. Finally, we review contracts that outline risk management responsibilities, compliance requirements, data protection, and incident management protocols. Incident Management We have developed an incident response plan that includes a process for addressing issues arising from third-party relationships which includes communication channels for reporting and managing incidents involving third parties. Documentation and Reporting We maintain detailed records of our third-party assessments and any evidence or documentation that is provided during the assessment process. We regularly review and report on third-party risk management activities and any significant issues to senior management and/or our Audit Committee or Board of Directors. External Resources; Associate Training and Awareness We have developed a comprehensive information security protocol that relies on support from third-party experts and an internal training and awareness program aligned with industry standards and best practices. Given the complex and evolving nature of cybersecurity threats, we engage third-party advisors and consultants to assist us in developing and maintaining effective cybersecurity risk management processes. Partnering with these third parties allows us to leverage specialized knowledge and insights, better ensuring our cybersecurity strategies and processes are well-designed and effective. For example, we work with third parties to regularly conduct simulated attack exercises to identify additional needs for training and overall program refinement. Internally, our training and awareness program creates multi-layered defenses by empowering associates with knowledge and tools to recognize and respond to security risks. Through role-specific and comprehensive training, we seek to maintain a workforce that actively contributes to our cybersecurity goals. Key components of our training program include: - Onboarding Training - All new associates participate in an initial cybersecurity training module at onboarding. This training covers the Company’s security policies, data protection standards and foundational security practices helping to ensure that new hires are equipped to meet the Company’s expectations pertaining to its security protocols. - Articles - We publish articles on our intranet site for all associates to easily access. These articles highlight emerging threats, industry trends, and actionable tips to help associates enhance their personal and professional security posture. We target critical topics such as ransomware, social engineering, data management, and the latest threats and best practices. - Phishing Simulations - Our phishing awareness program includes continuous phishing simulations conducted on a routine basis. This program helps associates develop the skills to effectively identify and mitigate phishing attempts. Associates who fail a threshold number of simulations during a calendar year are required to undergo additional training. - Cybersecurity Awareness Month Activities - We have implemented interactive, virtual and on-site awareness activities during Cybersecurity Awareness Month in October. These activities include phishing simulations, articles, lunch and learns, and gamification to serve as refreshers on critical security concepts and reinforce our commitment to maintaining a security-conscious culture. Governance Our Board of Directors has overall oversight responsibility for our risk management and has delegated oversight of cybersecurity risks to our Audit Committee, including overseeing the actions management has taken to identify, monitor, and control such exposure. Our Audit Committee reviews the measures implemented by the Company to identify and mitigate data protection and cybersecurity risks on a quarterly basis. As part of our continued investment in developing our overall enterprise risk management program, our Audit Committee receives reports and presentations from management which address a range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, and technological trends. Our Audit Committee reports to our Board of Directors at least annually on cybersecurity matters. At the management level, our Chief Information Security Officer (“CISO”) leads the team responsible for implementing, monitoring, and maintaining information security, including data protection practices across our business. Our CISO receives reports on cybersecurity threats from both our internal personnel and external partners on a regular basis. Our Chief Operating Officer and Chief Administrative Officer receive regular reports from our CISO on the cyber program and measures implemented by the Company to identify and mitigate cybersecurity risks. Our CISO works closely with our Company’s legal team to ensure compliance with legal and regulatory cybersecurity requirements. Our CISO has over a decade of cybersecurity and risk management experience and holds CISA, CISM, and CISSP certifications as well as a bachelor’s degree in Business Information Systems. Cybersecurity Threats and Incidents To date, risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations, or financial condition. During fiscal 2024, fiscal 2023 and fiscal 2022, the Company did not experience any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the Company or its business strategy, results of operations and/or financial condition. Despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents or provide assurances that we have not experienced undetected cybersecurity incidents. For additional details regarding the risks the Company faces from cybersecurity threats, see “ITEM 1A. RISK FACTORS - Risks Related to Our Business - Our operations, financial condition or reputation may be impaired if our information or operational technology systems fail to perform adequately or if we are the subject of a data breach or cyber-attack” in this Form 10-K.

Company Information