HORMEL FOODS CORP /DE/ 10-K Cybersecurity GRC - 2024-12-05

Page last updated on December 5, 2024

HORMEL FOODS CORP /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-05 14:40:07 EST.

Filings

10-K filed on 2024-12-05

HORMEL FOODS CORP /DE/ filed a 10-K at 2024-12-05 14:40:07 EST
Accession Number: 0000048465-24-000051

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk Management and Strategy As a global organization, the Company’s information systems are subject to various risks, including, but not limited to risks associated with ransomware, system disruption, data theft, unauthorized access to information, and misuse of data. To identify, address, and mitigate these risks, the Company has developed and maintains a cybersecurity program. The Company’s cybersecurity program is informed by the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Company’s Enterprise Risk Management (ERM) process and relies on internal and external expertise. Integration with ERM Processes The Company maintains an ERM program with a governance structure that is designed to identify, assess, prioritize, and mitigate risks across the organization. The ERM Executive Committee, comprised of the Company’s senior leadership team, has the ultimate responsibility for overseeing the identification of the key risks facing the Company and meets regularly to discuss the Company’s approach to mitigating those risks. Through the ERM process, cybersecurity has been identified as an important risk facing the Company. As a result, the cybersecurity program is an important component of the Company’s ERM processes. In addition to discussing the cybersecurity program at ERM Executive Committee meetings, members of the ERM Executive Committee participate in the cybersecurity incident response process. This process includes a governance model and procedures for identifying, categorizing, containing, and responding to cybersecurity incidents. As a component of the cybersecurity incident response process, the Company conducts attack simulations and exercises and has used third parties to support this work. The Company also maintains business continuity and disaster recovery plans to prepare for potential technology disruptions and to better position the Company to recover from any cybersecurity incident. The Company’s Disclosure Committee also includes a member of the ERM Executive Committee, helping to ensure timely analysis of disclosure obligations relating to cybersecurity events. Cybersecurity Program Components The Company’s cybersecurity program includes a focus on governance, processes, technology, and people. Components of the program include the following: - Investments in security technology, such as vulnerability management tools, malicious software protection, email security, and around-the-clock monitoring; - Regular monitoring and updating of the Company’s IT infrastructure, to respond to the dynamic cybersecurity threat environment; - Use of third parties to assess, test, validate, and strengthen the cybersecurity program, including penetration testing and the periodic use of a third party to assess the quality and maturity of the program against the NIST Cybersecurity Framework; and - Assessing and managing cybersecurity risks associated with the Company’s relationships with third parties, including technology and service providers, through due diligence efforts and the imposition of contractual obligations. The Company’s cybersecurity program also includes employee training and education. Frequent employee training topics include social engineering, phishing, password protection, confidential data protection, asset use, and mobile security. Training emphasizes the importance of reporting incidents promptly to the Company’s security operations team. The Company also conducts periodic phishing tests with employees and provides employees with easy-to-use tools to report potential phishing emails. Cybersecurity Governance and Oversight Management The Company’s management is responsible for identifying, assessing, and managing the Company’s exposure to cybersecurity risk. The Company has an internal team that is supported by security technologies, third-party experts, and threat intelligence resources in support of cybersecurity risk reduction. The Company’s internal cybersecurity team is led by the Company’s Director of Information Security and Compliance, who acts in the capacity of a chief information security officer and is responsible for overseeing the execution of cybersecurity strategy and maturing the Company’s cybersecurity posture. The Director of Information Security and Compliance reports to the Company’s Vice President of IT Services and has education, training, and experience pertinent to cybersecurity, including more than 25 years of IT experience with over 15 years in Information Security and holds the Certified Information Security Systems Professional (CISSP) certification. Board of Directors The Company’s Board of Directors (Board) and its Audit Committee exercise oversight of the Company’s ERM program, including the cybersecurity program. Management, led by the Director of Information Security and Compliance, provides at least three updates per year to the Audit Committee on cybersecurity topics, and the Audit Committee regularly reports to the Board on these presentations. In addition, the Director of Information Security and Compliance provides an annual cybersecurity update to the full Board. Management’s updates cover relevant cybersecurity topics, both ongoing and unique in nature, including risk exposures and management’s actions to monitor and mitigate such risks, emerging threats or regulations, and status updates on projects to strengthen and mature the Company’s systems and cybersecurity programs. Management’s escalation protocol includes reporting of certain cybersecurity threats or incidents to the Audit Committee in a prompt and timely manner. Impact of Cybersecurity Risks and Threats While some of the Company’s third-party service providers have experienced cybersecurity incidents and the Company has experienced threats to its data and systems, as of the date of this report, the Company’s management is not aware of any cybersecurity threats or incidents that have materially affected its business strategy, results of operations, or financial condition. This does not guarantee that future incidents or threats will not have a material impact by interrupting operations, causing reputational harm, increasing operating costs, or exposing the Company to litigation. For additional commentary on cybersecurity risks, see Part 1, Item 1A. Risk Factors under the heading “The Company may be adversely impacted if the Company is affected by cybersecurity attacks, security breaches, or other IT interruptions, involving its own systems or those with whom it does business.”

Company Information