CALAVO GROWERS INC 10-K Cybersecurity GRC - 2025-01-14

Page last updated on January 14, 2025

CALAVO GROWERS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-01-14 17:21:28 EST.

Filings

10-K filed on 2025-01-14

CALAVO GROWERS INC filed a 10-K at 2025-01-14 17:21:28 EST
Accession Number: 0001558370-25-000209

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our cybersecurity risk management program is integrated with our overall enterprise risk management program and shares common methodologies, reporting channels and governance processes that apply across functions to other legal, compliance, strategic, operational, and financial risk areas. This integration ensures a holistic approach to risk management, enabling us to address cybersecurity risks in the context of broader organizational risks. We build and evaluate our cybersecurity risk management program based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). The NIST CSF offers a thorough set of guidelines and best practices to help us establish a strong cybersecurity posture. Utilizing the NIST CSF enables us to systematically identify, assess, and manage cybersecurity risks pertinent to our business operations. However, it’s important to highlight that using the NIST CSF as a guide does not imply that our cybersecurity program meets any specific technical standards, specifications, or requirements. Our cybersecurity risk management program is grounded in a zero-trust framework and employs a multi-layered approach to ensure comprehensive protection. This approach includes: ● Awareness and Training for Employees: We conduct regular phishing campaigns, informational sessions at management meetings, and annual mandatory training with simulations of common cybersecurity threats. These initiatives aim to enhance employee awareness and preparedness against potential cyber threats. ● Security Tools and Technologies: We utilize advanced security tools and technologies, along with control policies and active review procedures, to strengthen authentication and access protection. This includes implementing multi-factor authentication, encryption, and continuous monitoring of network activities. ● Third-Party Risk Management: We have established a rigorous third-party risk management process and monitoring procedures for service providers, suppliers, and vendors who have access to critical systems and information. This ensures that our partners adhere to our cybersecurity standards and do not introduce vulnerabilities into our environment. ● Risk and Vulnerability Management: Our risk and vulnerability management program encompasses both proactive and predictive defenses. We regularly assess, remediate, and validate our security measures to address emerging threats and vulnerabilities. This includes conducting vulnerability scans, penetration testing, and threat intelligence analysis. 23 ● Managed Detection and Incident Response: We employ advanced endpoint protection and managed detection and response services to quickly identify and respond to potential security incidents. Our incident response team is equipped to handle various types of cyber threats and minimize their impact on our operations. In evaluating the risks identified as a part of the annual assessment process, our information technology team considers the likelihood and severity of the respective risk and the potential impact of the risk, including any potential impact on our customers and our employees. These risks are then prioritized and monitored by the information technology team. We conduct periodic testing of software, hardware, defensive capabilities, and other information security systems to assess our cybersecurity readiness and maturity of the cybersecurity program. Tests are conducted by the information technology team and reputable third-party consultants and auditors. In developing and evaluating the testing procedures, we consider both our individual risks and industry standards. The cybersecurity risk management program includes an incident response plan with a cross-functional team comprised of designated members of the information technology department, senior management, and other appropriate individuals. The team is responsible for assessing and managing the cybersecurity incident response process, as outlined within the incident response plan, and taking necessary corrective actions to mitigate and eliminate the issue. As of the date of this report, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition that are required to be reported in this Form 10-K. For further discussion of the risks associated with cybersecurity incidents and potential impact on us, see the cybersecurity risk factor within “Item 1A. Risk Factors” in this Form 10-K. Governance The information technology department, led by our Director of Information Technology & Services (“IT Director”), is responsible for our cybersecurity program. The IT Director, along with a third party provider with significant cybersecurity experience, manages information security, infrastructure, and compliance. This collaboration ensures that our cybersecurity practices are aligned with industry standards and best practices. The Board of Directors considers cybersecurity risk as part of its overall risk oversight function. The Audit Committee receives briefings from the IT Director regarding our cybersecurity risk management program at least annually. These briefings include updates on our cybersecurity risks and threats, the status of projects to strengthen the information security systems, assessments of the information security program, and the emerging cybersecurity threat landscape.

Company Information