GREIF, INC 10-K Cybersecurity GRC - 2024-12-23

Page last updated on December 24, 2024

GREIF, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-23 10:31:08 EST.

Filings

10-K filed on 2024-12-23

GREIF, INC filed a 10-K at 2024-12-23 10:31:08 EST
Accession Number: 0000043920-24-000056

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We recognize the importance of effective cybersecurity risk management to our operations and interests. Our cybersecurity program is designed to protect our employees, our customers and our assets through the effective identification and mitigation of cyber risks. The program, led by the Senior Director, Global Information Technology (“IT”) Security under the oversight of the Chief Information and Digital Officer (“CIDO”), encompasses a broad range of preventative, detective and responsive measures relevant to our business needs and designed to reduce our specific risks. The cybersecurity program is modeled after and assessed against the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”). The NIST CSF is not a certification program and our use does not imply compliance with specific, related standards - the NIST CSF is used as a guide for designing and managing cybersecurity programs. Risks and exposures associated with our cybersecurity program are integrated into our overall enterprise risk management program and share common methodologies, reporting channels and governance processes. These processes and the governance for identifying and managing risks apply across our enterprise risk management program to other legal, compliance, strategic, operational and financial risk areas. Core elements of our cyber program include, but are not limited to: - Risk assessments to identify cybersecurity risks that may impact us in material ways, including risks associated with our use of third-party service providers; - Cybersecurity awareness training for our employees and ongoing technical training for cybersecurity personnel; - Procedural and technical security controls implemented and managed by cross-functional teams; - An incident response plan that includes procedures for responding to cybersecurity events, including those arising from our use of third-party service providers or partners; - Periodic evaluation of security controls through system assessments and vulnerability scanning; - Partnerships with external providers where appropriate to supplement our internal expertise, perform security assessments and penetration testing, consult on best-practices and support incident response activities with forensic analysis. As of October 31, 2024, we are not aware of any cybersecurity incidents that have materially impacted, or are reasonably likely to materially impact, our operations or financial condition. Governance and Oversight Board Oversight While our Board has responsibility for oversight of risk management on an enterprise-wide basis, it has delegated certain risk oversight responsibilities to its committees. The Audit Committee of our Board of Directors has responsibility for oversight of our cybersecurity risk management program. Full responsibilities of the Audit Committee are set forth in the publicly available Audit Committee Charter on our website. The Committee receives quarterly cybersecurity updates covering risks, mitigation plans, and cybersecurity incidents. The full Board of Directors is provided with periodic cybersecurity updates from the CIDO or the Senior Director, Global IT Security, or both. In the event of an urgent cybersecurity incident where full Audit Committee or Board involvement is not practical or timely, the Chairperson of the Board of Directors, the Chairperson of the Audit Committee, and the Chief Executive Officer have been appointed as an incident oversight group. Management Oversight The Senior Director, Global IT Security has primary responsibility for the management of ongoing cyber risks under the oversight of the CIDO. The Senior Director holds a Certified Information Systems Security Professional certification and has nearly 30 years of experience in technology, including over 10 years in software development and enterprise architecture and over 15 years implementing, maturing and leading cybersecurity programs. The CIDO is responsible for global IT strategy and operations and has nearly 30 years of experience leading enterprise technology organizations. The CIDO and Senior Director, together with others on their teams, are informed about the monitoring, prevention, detection, mitigation and remediation of cybersecurity incidents through their management of and participation in the cybersecurity risk management policies, processes and operations discussed above. The Company’s management team has designated a Cybersecurity Advisory Council (the “Council”), which consists of members of management, including the Senior Director, Global IT Security and a cross-section of Company leaders. The Council ensures strong alignment within the Company with the objectives of the cyber program, providing input on policy and risk decisions. The Council receives periodic briefings on security status, incidents, and mitigation plans.

Company Information