CENTRAL GARDEN & PET CO 10-K Cybersecurity GRC - 2024-11-27

Page last updated on November 28, 2024

CENTRAL GARDEN & PET CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-27 16:32:07 EST.

Filings

10-K filed on 2024-11-27

CENTRAL GARDEN & PET CO filed a 10-K at 2024-11-27 16:32:07 EST
Accession Number: 0000887733-24-000029

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy: We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees, customers or consumers; violation of data privacy or data security laws and other litigation and legal risk; and reputational risks. We also maintain an incident response plan to coordinate the activities we take to protect against, detect, respond to and remediate cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, as well as to comply with potentially applicable legal obligations and mitigate risk, including reputational damage. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to identify, assess, and manage material risks, as well as to test and improve our incident response plan. Our approach includes, among other things: - conducting regular network and endpoint monitoring, vulnerability assessments, and penetration testing to improve our information systems, as such term is defined in Item 106(a) of Regulation S-K; - running tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies; - regular, mandatory cybersecurity training programs for relevant employees; - comparing our processes to standards set by the International Organization for Standardization (“ISO”); - leveraging the ISO information security incident management model to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident; - leveraging third-party threat intelligence services designed to model and research our adversaries; - closely monitoring emerging data protection laws and implementing changes to our processes designed to comply; - periodically reviewing our consumer facing policies and statements related to cybersecurity; - conducting regular phishing email simulations for relevant employees and all contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats; - through policy, practice and contract (as applicable) requiring employees, as well as third parties who provide services on our behalf, to treat customer information and data with care; and - carrying information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident. These approaches vary in maturity across the business and we work to continually improve them. Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process, covering all company risks. As part of this process appropriate disclosure personnel will collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. As part of the above approach and processes, we periodically engage with assessors, consultants, auditors, and other third-parties, for purposes of evaluating our cybersecurity posture and identifying areas for continued focus, improvement and/or compliance. We describe how risks associated with a potential cybersecurity incident are reasonably likely to materially affect us, including our business, results of operations and financial condition, under the heading “A significant information security or operational technology 12 incident, including a cyberattack or a data breach, could disrupt our operations and adversely impact our operating results, cash flows and reputation,” included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein. In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none. Cybersecurity Governance: Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management. The Audit Committee of our Board of Directors is responsible for the oversight of risks from cybersecurity threats. At least annually, the Audit Committee receives an overview from management of our cybersecurity threat risk management, including topics such as data security posture, results from third-party assessments, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the Audit Committee generally receives materials indicating current and emerging material cybersecurity threat risks, and describing the company’s ability to mitigate those risks, and discusses such matters with our Information Security Leadership Team, comprised of Chris Walter, our Chief Information Officer, Frank Madigan, our Vice President, Information Technology and Security and Kelvin James, our Senior Manager, Information Security (the “InfoSec Leadership Team”). Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our InfoSec Leadership Team. The executives on this team have collectively over 60 years of prior work experience in the management of information security, developing cybersecurity strategy and implementing effective information and cybersecurity programs. In addition to their work experience, Mr. Madigan has a Master of Business Administration in Information Technology Management and Mr. James has a Master of Science in Information Security and Assurance. The InfoSec Leadership Team is informed about and monitors the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. If a cybersecurity incident is determined to be a material cybersecurity incident, our incident response plan and cybersecurity disclosure controls and procedures define the process to disclose such material cybersecurity incident. As discussed above, the InfoSec Leadership Team reports about cybersecurity threat risks, among other cybersecurity related matters, to senior management and the Audit Committee, which provides updates to the full Board of Directors.

Company Information