Bunge Global SA 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

Bunge Global SA reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 14:39:04 EST.

Filings

10-K filed on 2025-02-20

Bunge Global SA filed a 10-K at 2025-02-20 14:39:04 EST
Accession Number: 0001996862-25-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Securing Bunge’s business information, customer, supplier, and employee data and information technology systems is an important part of our overall risk management framework. We rely on certain key information technology systems, some of which are dependent on services provided by third parties, to provide critical data and services for internal and external users, including procurement and inventory management, transaction processing, financial, commercial and operational data, human resources management, legal and tax compliance, and other information and processes necessary to operate and manage our business. Our cybersecurity risk management program monitors our systems and networks for threats, breaches, intrusions and other weaknesses; assesses the security of our company-wide software, applications and systems; conducts security audits and threat assessments; responds to cybersecurity incidents; and facilitates training for our employees. Within our cybersecurity team, subject matter experts regularly obtain cybersecurity certifications. Our program includes procedures to identify cybersecurity risks and threats of our third-party service providers. These procedures measure the maturity of third-party provider cybersecurity programs against industry best practices. The collection of this information is used to assess the use of third-party software or partnerships. We also review the cybersecurity scores of our business customers and suppliers, and we rely on consultants and other third-party advisors to conduct security assessments and independent audits of the security and resilience of our systems and networks. Our cybersecurity risk management program includes response plans that are aligned with our crisis response plans and outline the procedures and protocols to follow when a cybersecurity incident has or may have occurred, including to allow assessments related to disclosure and notice requirements to be timely made to regulators and affected parties. We have also performed and plan to continue to conduct cybersecurity incident simulation exercises involving members of senior management as part of our cybersecurity risk management program. The Board is provided with an update following a simulation exercise. Our response plans include protocols to notify our Chief Technology Officer (“CTO”), our Chief Legal Officer, other members of senior management as appropriate, and, under certain circumstances, the Audit Committee of our Board, or our full Board as appropriate. Our worldwide team of cyber and information security professionals undertakes a range of activities to protect its employees, assets, and reputation globally, leveraging internal and external resources to monitor cybersecurity threats to its systems and networks and to understand the broader threat environment. In support of these efforts, Our security experts use automated threat intelligence feeds and tools to increase vulnerability awareness, taking action to mitigate the highest risks. Bunge’s dedicated cyber risk organization meets regularly with business units and corporate operations to raise cyber risk awareness and keep diverse cybersecurity skill sets connected across the global enterprise. We invest in broad cybersecurity awareness and training to educate those with access to Bunge’s networks, which includes a review of company policies and best practices. We conduct phishing tests to train our workforce, and assess its ability, to identify and report malicious emails and activity. Privacy and data protection awareness and training is provided to employees and the Board as part of Bunge’s required Code of Conduct training. We have integrated cybersecurity risk assessments into Bunge’s overall enterprise risk management framework to promote a company-wide culture of cybersecurity risk management. Our CRO formulates periodic reports and provides them to our Management Risk Committee (“MRC”). As noted in “Item 1. Business - Risk Management”, the MRC reviews key enterprise risks on an ongoing basis and is responsible for reviewing and monitoring key exposures, emerging risks, and drivers of risk. Bunge uses a risk-based information security process aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework to identify, prioritize, and mitigate cybersecurity risks, which is periodically assessed by an independent third party. Increased global cybersecurity vulnerabilities, threats, and more sophisticated and targeted cybersecurity attacks, including those tied to global conflicts, pose a potentially significant risk to the security of our information technology systems, networks and services, as well as the confidentiality, availability and integrity of our data and the confidential data of our employees, customers, suppliers, and other third parties that we may hold. Although we have experienced and will continue to experience cybersecurity incidents of varying degrees, to date, we have not experienced a cybersecurity incident that has materially affected or is reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. Despite the measures the company takes to mitigate cybersecurity risks, there can be no assurance that such measures will be sufficient to protect the company’s systems, information, intellectual property ,and other assets from significant harm and, therefore, the scope and impact of any future cybersecurity incident cannot be predicted with any meaningful accuracy. See “Item 1A. Risk Factors” for more information. Governance Our CTO leads our Business Technology organization and our cybersecurity risk management program in coordination with our CRO. The Business Technology team is responsible for assessing, identifying, and managing risks from cybersecurity threats. Our CTO and CRO regularly receive briefings on cybersecurity matters, and in turn our CTO regularly reports to the Audit Committee on such matters. Our CRO regularly reports on enterprise risks facing the Company to the ERMC. Our CTO has more than 20 years of experience in leading, managing, and transforming information technology systems for large, global organizations, and our CRO has several years of experience in leading and managing risk oversight for global organizations . Our Board oversees Bunge’s approach to risk management. Our Board has established a dedicated Board committee, the Enterprise Risk Management Committee, which enables greater focus at the Board level on risk oversight tailored to our business and industries. Additionally, each of our other Board committees is responsible for considering risks within its area of responsibility. The Board has delegated oversight and review of risks related to cybersecurity and information technology systems to the Audit Committee . The Audit Committee is responsible for reviewing and assessing the overall cybersecurity risk management program and management’s processes and policies with respect to cybersecurity risk monitoring, identification, assessment, and response. Senior management and the Audit Committee receive an annual update and ongoing quarterly updates on Bunge’s cybersecurity readiness and the current “threat environment,” which includes an update on the cybersecurity threat landscape, the strategic priorities of the cybersecurity risk management program and progress made in respect of those priorities, a review of cybersecurity incidents, as well as additional updates on an as-needed basis. Our internal audit team also reports to the Audit Committee on the effectiveness of management in identifying and appropriately controlling risks, including cybersecurity risks. The Audit Committee regularly reports on its activities to the full Board to promote effective coordination and to ensure that the entire Board remains apprised of the effectiveness of the cybersecurity risk management and the cybersecurity risk landscape, and also assesses how management is managing these risks.

Company Information