Symbotic Inc. 10-K Cybersecurity GRC - 2024-12-04

Page last updated on December 4, 2024

Symbotic Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-04 16:33:03 EST.

Filings

10-K filed on 2024-12-04

Symbotic Inc. filed a 10-K at 2024-12-04 16:33:03 EST
Accession Number: 0001837240-24-000232

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We believe data privacy and cybersecurity are critical to supporting our vision and enabling our strategy. Our approach to data privacy and cybersecurity is supported by our commitment to preserving the trust our employees and customers place in us and focuses on driving continuous improvement as the threat landscape evolves. Our board of directors (“Board”), in coordination with each of our committees of our Board, is responsible for oversight of our enterprise risk management activities. The Board oversees risks from cybersecurity threats through periodic reports from the audit committee of the Board (“Audit Committee”), which monitors cybersecurity incidents and management’s response to such incidents. Our Audit Committee directly oversees our processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Our Vice President (“VP”) of Security and Controls, who has over 16 years of experience in information technology and security and who holds Certified Information Systems Security Professional and IT Infrastructure Library certifications, has primary responsibility for overseeing our management of cybersecurity risks. Reporting to the Chief Technology Officer (“CTO”), our VP of Security and Controls meets regularly with the CTO, and works cross-functionally with other department leaders, including legal, business, policy, and technical functions, as appropriate, to exchange information related to cybersecurity. Our VP of Security and Controls provides quarterly updates to our Audit Committee on our cybersecurity status, risks, and strategies. These quarterly updates address a range of cybersecurity-related topics, such as recent developments related to the threat landscape, security controls, vulnerability assessments, third-party reviews, technological trends, and information security considerations arising with respect to our peers and third parties. Our cybersecurity programs and procedures are designed to identify and address threats that are subject to ongoing compliance assessments, certifications, and testing. We conduct assessments of threat models to determine which risks are most likely to impact us. Our security and controls team gathers threat and risk data and updates through various sources, such as systems reviews, security research activities, and internal and external security scans and alerts, as appropriate. As applicable, in certain circumstances, we also collaborate with industry partners in the security community, our peers and law enforcement agencies, to support our cybersecurity threat intelligence capabilities. This information is collected, categorized, and assessed to identify, prioritize, and manage significant cybersecurity risks. As a result, our process is continually evaluated and evolves as the threat landscape changes. We have also incorporated security practices into employee trainings. We have a process for employees to formally acknowledge their review and understanding of security obligations. Additionally, our security and controls team conducts periodic security and data protection training aimed to emphasize the importance of security and data protection. We have also implemented a review process to assess the security profile and data protection practices of certain third-party suppliers and service providers that have exposure to our systems, including, as appropriate, review of vendor security policies and procedures. We do not, however, review security profile and data protection practices of all third-party vendors. In the event of a cybersecurity incident, our response and mitigation efforts are guided by the Incident Response Plan (“IRP”), which provides guidance on how to respond to, and recover from, a material cyber incident requiring an organized response. We conduct tabletop exercises testing the principles and procedures set forth in our IRP based on lessons learned. In addition, we have a cybersecurity disclosure committee (“Cybersecurity Disclosure Committee”) which receives updates on an as needed basis from our security organization regarding cybersecurity incidents. The Cybersecurity Disclosure Committee includes our VP of Security and Controls and senior representatives from finance, controllership, internal audit, investor relations, and legal teams. In the event of a cybersecurity incident, the Cybersecurity Disclosure Committee meets to assess the incident for materiality and required disclosure. While we have experienced cybersecurity incidents in the past, as of the date hereof, none have materially affected us or our business strategy, financial condition, results of operations, and/or cash flows. We continue to invest in cybersecurity and resiliency of our networks to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information which they contain. For more information about cybersecurity risks relating to our business, refer to Item 1A, Risk Factors included in this Annual Report on Form 10-K.

Company Information