TreeHouse Foods, Inc. 10-K Cybersecurity GRC - 2025-02-14

Page last updated on February 14, 2025

TreeHouse Foods, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-14 16:29:08 EST.

Filings

10-K filed on 2025-02-14

TreeHouse Foods, Inc. filed a 10-K at 2025-02-14 16:29:08 EST
Accession Number: 0001320695-25-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our cybersecurity program and controls are designed to assess, identify, and manage material risks from cybersecurity threats, and protect and preserve the confidentiality, integrity, and continued availability of all information owned by, or in the care of, the Company. Cybersecurity risk is incorporated into the Company’s broader Enterprise Risk Management program, and is managed in alignment with our business objectives and operational needs. Our information systems are continuously monitored for security threats and anomalies, and our incident response plan and processes are built to enable us to identify, contain, eradicate, and recover from security incidents in a coordinated fashion, helping maintain the function and security of our IT assets, information resources, and business operations. We have formed relationships with various third-party experts and advisors to provide support in the event of a cybersecurity incident. Additionally, we have established various elements of risk management to mitigate costs associated with cybersecurity incidents. We strive to maintain a strong culture of cybersecurity awareness across the organization by conducting regular information security awareness training, and simulation exercises, for employees, and providing access to related educational materials. We oversee and identify material risks from cybersecurity threats associated with our use of third-party service providers, perform third party security assessments of select third party service providers, and employ techniques to protect our organization in the event our third parties experience a cybersecurity incident. We employ controls to continuously monitor and assess the information gathered by our security tools, services to identify gaps, exposures, or weaknesses in our overall security posture, and engage reputable external specialists to provide independent assessments of our cybersecurity program, and response preparedness. Further, the Company’s enterprise level IT general controls are audited annually. Impact of Cybersecurity Risks and Threats We are not aware of having experienced any risks from cybersecurity threats or incidents through the date of this Report that have materially affected the Company, its business strategy, results of operation or financial condition or are reasonably likely to have such an effect over the long term. This does not guarantee that future incidents or threats will not have a material impact or that we are not currently the subject of an undetected incident or threat that may have such an impact. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A - Risk Factors , which should be read in conjunction with the foregoing information. Governance Board of Directors Our Board of Directors oversees our Enterprise Risk Management program, and cybersecurity risks are monitored as a part of the broader program. Our Board has delegated the primary responsibility to oversee risks from cybersecurity threats to the Audit Committee. Our Audit Committee receives quarterly updates from the Chief Information Officer (“CIO”) on significant risks, cyber incidents, key performance indicators measuring the effectiveness of our cybersecurity risk program, and other relevant matters, and regularly reviews the measures implemented by the Company to identify, treat, mitigate, and transfer cybersecurity risk. The Audit Committee regularly briefs the Board on these updates, and the Board also receives periodic briefings on cybersecurity risk through our broader Enterprise Risk Management program. These risks, including current and emerging risks, are regularly evaluated by the Audit Committee and the Board. In addition to the regular updates to the Audit Committee, we have protocols by which certain cybersecurity incidents and threats are escalated within the Company and, where appropriate, reported in a timely manner to the Board and Audit Committee. Management Our CIO is responsible for our information security program and controls, which includes cybersecurity risk management. Our Head of Cybersecurity reports to our CIO, and leads our cybersecurity program and team that assesses, manages and monitors cybersecurity risks, associated risks of emerging technologies, and the corresponding controls. The CIO and Head of Cybersecurity have extensive cybersecurity knowledge and expertise, skills gained from each having over 20 years of relevant industry experience. 19

Company Information