Reynolds Consumer Products Inc. 10-K Cybersecurity GRC - 2025-02-05

Page last updated on February 5, 2025

Reynolds Consumer Products Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-05 09:15:01 EST.

Filings

10-K filed on 2025-02-05

Reynolds Consumer Products Inc. filed a 10-K at 2025-02-05 09:15:01 EST
Accession Number: 0001628280-25-003936

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Governance Our information security program is managed by a Chief Information Security Officer (“CISO”) , whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes, including assessing and managing our material risks from cybersecurity threats. The CISO is a Certified Information Systems Security Professional (“CISSP”), and has over 20 years of experience holding various roles in information technology and cybersecurity. The Audit Committee of our Board of Directors is charged with oversight of cybersecurity matters, including oversight of risks from cybersecurity threats. The CISO provides quarterly reports to the Audit Committee, as well as more frequent reports to our Cyber Security Steering Committee, which includes the Chief Executive Officer, Chief Financial Officer and other members of our senior management. These reports include updates on our cyber risks and threats, the status of projects to strengthen our information security systems, assessments of our information security program, and the emerging threat landscape. Our cybersecurity program is periodically evaluated by internal and external experts, with the results of those reviews reported to senior management and the Audit Committee. We also actively engage with key vendors and industry participants as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures. Risk Management and Strategy We have a comprehensive cybersecurity and information security framework that includes risk assessment and mitigation. We leverage the National Institute of Standards and Technology Cyber Security Framework 2.0 for measuring overall readiness to respond to cyber threats and the Sarbanes-Oxley Act for assessment in internal controls. Our cybersecurity processes are integrated into our overall risk management program, and include a comprehensive cyber crisis management program that would apply if a cybersecurity related incident were to occur. We perform response simulations, tabletop exercises and recovery tests on a quarterly basis. In addition, we engage external consultants to perform penetration testing at least annually. Our cyber crisis management program includes a documented plan that provides overall coordination of our response to a major cyber incident as well as a resource engagement plan. As part of our crisis management plan, our cyber crisis communication plan accounts for timely and accurate dissemination of information to stakeholders during the crisis. Other components of our crisis management plan are our business continuity plan, that documents the application of specific strategies and measures to enable core business activities to continue during a cyber event, and our disaster recovery plan, that is designed to restore data and systems to their operational state. The ongoing development and maturity of our cyber crisis management program is reported to senior management quarterly. With respect to third-party service providers, we perform assessments of their information security capabilities prior to entering into a contractual agreement. We also perform periodic information security capabilities reviews for existing third-party service providers based on the risks identified in the initial review, or if events and circumstances necessitate a review. Refer to “A cyber-attack or failure of one or more key information technology systems, operational technology systems, networks, processes, associated sites or service providers could have a material adverse impact on our business and reputation” in Item 1A. “Risk Factors” for information regarding material risks from cybersecurity threats that affect us.

Company Information