MCCORMICK & CO INC 10-K Cybersecurity GRC - 2025-01-23

Page last updated on January 23, 2025

MCCORMICK & CO INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-01-23 16:37:26 EST.

Filings

10-K filed on 2025-01-23

MCCORMICK & CO INC filed a 10-K at 2025-01-23 16:37:26 EST
Accession Number: 0000063754-25-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Cybersecurity risk management is overseen both as a critical component of our overall Enterprise Risk Management program and as a standalone program. We have implemented a risk-based, multilayered approach to assessing, identifying, and managing cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents. The team devotes significant resources to our cybersecurity risk management, which focuses on developing and implementing strategies and processes to protect the confidentiality, integrity, and availability of our assets and those of our consumers, customers and employees and seeks to continually improve our policies and practices to protect our platforms, adapt to changes in regulations, identify potential and emerging security risks and develop mitigation strategies for those risks. As part of this effort, the team periodically benchmarks our practices against the NIST Cyber Security and Privacy Frameworks, and other good practice control methods, which include updating technology, developing data privacy and security policies and procedures, implementing and assessing the effectiveness of controls, monitoring and routine testing of our information systems, conducting risk assessments of third-party service providers, providing data privacy and cybersecurity awareness training to employees and designing business processes to protect private data and mitigate the risk of cybersecurity incidents. We periodically conduct tests on our systems to help discover potential vulnerabilities, which enable improved decision-making and prioritization and promote monitoring and reporting across compliance functions. We believe that these 18 actions provide adequate measures of protection against security breaches and generally reduce our cybersecurity risks, and we have not had a material cybersecurity threat or attack to date. Our processes also address cybersecurity risks associated with our use of third-party service providers including suppliers, and software and cloud-based service providers. We proactively evaluate the cybersecurity risk of our third-party service providers by utilizing a repository of risk assessments, external monitoring sources, threat intelligence and predictive analytics to better inform ourselves during contracting and vendor selection processes. Third-party service providers security issues are documented, tracked, and monitored in order to mitigate risk. Our employees, including part-time and temporary employees, undertake an annual cybersecurity training program, which is augmented by additional training and communications on information security and data privacy matters throughout the year. We have adopted an incident response plan that applies in the event of a cybersecurity threat or incident to provide a standardized framework for responding to such cybersecurity threats or incidents. The plan sets out a coordinated approach to investigating, containing, documenting, and mitigating incidents, including reporting findings and keeping our Management Committee, the Audit Committee, the Board, and other key stakeholders informed and involved as appropriate. The plan is aligned to NIST guidance. It also includes the involvement of any personnel who may detect incidents, respond to incidents, resolve incidents, and manage communications and responsibilities with authorities about those incidents. The plan applies to all personnel (including third-party contractors, vendors, and partners) that perform functions or services requiring access to secure Company information, and to all devices and network services that are owned or managed by us. Further, we currently maintain a cybersecurity insurance that provides coverage for certain types of incidents; however, such insurance may not be sufficient in type or amount to cover claims related to all cyber threats or risks. While we have not experienced any material cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, as of the date of this Annual Report on Form 10-K, there can be no guarantee that we will not be the subject of future threats or incidents. Additional information on cybersecurity risks we face can be found in Item 1A, Risk Factors, which should be read in conjunction with the foregoing information. Governance and Oversight Our Board and the Audit Committee are actively engaged in the oversight of our cybersecurity and data privacy program. The Board, at least annually, and the Audit Committee, periodically throughout the year, receive regular reports from our Chief Information Security Officer (“CISO”) and members of the information security team on, among other things, recent developments, the state of the information security program, assessments of risks and threats to our information security systems, information security considerations arising with respect to our peers and third parties, third-party and independent reviews, and processes to maintain and strengthen information security systems. Under the oversight of the Audit Committee, we engage third-party experts to assess the state of our cybersecurity and data privacy program. The Audit Committee also provides regular updates to the Board, and the Board would be notified between such updates regarding significant new cybersecurity threats or incidents. We have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated internally and, where appropriate, reported to the Management Committee, the Audit Committee or the Board in a timely manner. We have an Executive Cybersecurity Steering Committee that is facilitated by our CISO, which is designed to engage business leadership and employ best practices, including ongoing enhancements to governance, risk and compliance. Our internal audit function also performs independent testing on aspects of the operations of our cybersecurity program and the supporting controls based upon its risk-based internal audit plan and reports the results of these audits in its periodic reports to the Audit Committee. Our CISO currently reports to our Chief Information and Digital Officer and is responsible for training and leading a dedicated information security team tasked with protecting data and preventing, identifying, and appropriately addressing cybersecurity threats. The CISO is a Certified Information Systems Security Professional with over 20 years of experience developing and maturing information security programs, including experience with leading privacy, enterprise risk, records management, business continuity and operational risk programs, among others. 19

Company Information