Kenvue Inc. 10-K Cybersecurity GRC - 2025-02-24

Page last updated on February 24, 2025

Kenvue Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-24 16:06:09 EST.

Filings

10-K filed on 2025-02-24

Kenvue Inc. filed a 10-K at 2025-02-24 16:06:09 EST
Accession Number: 0001944048-25-000033

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk Management and Strategy Our process for assessing, identifying, and managing material risks from cybersecurity threats is integrated into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. Our cybersecurity organization continually evaluates and addresses cybersecurity risk in alignment with our business objectives to address the evolving regulatory landscape and emerging risks, including those resulting from geopolitical shifts and technological innovations such as the growth of cloud technologies and artificial intelligence. We maintain a formal cybersecurity training program, including annual trainings for all Kenvuers, covering, among other topics, phishing, email security, and data privacy. We employ automation, and we also engage our internal audit function and a range of external consultants and other expert third parties in connection with the evaluation and management of cybersecurity risk and the maturation of our cybersecurity program. Our cybersecurity organization assesses, monitors, and manages cybersecurity risk through technical, physical, and administrative controls, including implementing cybersecurity policies , procedures, and strategies, with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while increasing our system resilience in an effort to minimize business impact should an incident occur. The underlying controls of the cybersecurity risk management program are based on 47 recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology Cybersecurity Framework. In addition, we maintain a Data Incident Response Program, which is designed to identify, assess, manage, and report significant data incidents, including those reasonably likely to affect our business strategy, results of operations, or financial condition. In the event of a cybersecurity incident, our cybersecurity team assesses, among other factors, safety impact, supply chain and manufacturing disruption, data and personal information loss, business operations disruption, projected cost, and potential for reputational harm, with support from external technical and legal advisors and law enforcement, as appropriate. The Data Incident Response Program outlines the steps to be followed from incident detection to mitigation, recovery, and notification, including notifying functional areas, senior management, and the Company’s Disclosure Committee or a sub-committee thereof as appropriate. The Disclosure Committee or a sub-committee thereof will consider the materiality of an incident elevated by the Data Incident Response Program, inform our Board and other key stakeholders as appropriate, and determine the Company’s reporting obligation on a timely basis. Our organization tests and monitors these processes, including through table-top exercise testing with senior leaders. We rely heavily on our supply chain to deliver our products to our customers and consumers, and a cybersecurity incident at a supplier or partner could materially adversely impact us. As such, we have processes in place to oversee and identify risks from cybersecurity threats associated with suppliers and our use of third-party service providers, including through our Supplier Cyber Risk Assessment process, which assesses third-party cybersecurity controls through a combination of risk assessment questionnaires, commercially available risk data, and proprietary algorithms. We also include security and privacy addendums to our contracts where applicable. We require that our suppliers and partners report cybersecurity incidents to us so that we can assess the impact of such an incident on us and have dedicated processes to respond to cybersecurity incidents at third parties. Risks from cybersecurity threats did not materially affect our results of operations or financial condition during the fiscal twelve months ended December 29, 2024. Governance Cybersecurity-related risks are one of the key risks contemplated by our Enterprise Risk Management (“ERM”) Framework. The ERM Framework informs our strategic planning activities through a collaborative risk management environment that proactively identifies and prioritizes our strategic, preventable, and external risks (including new or changing regulations). The ERM Framework enables a clear understanding of the top risks and the exposure they have to our performance and strategic decisions. The ERM Framework is reviewed annually as part of a risk assessment that is presented to our Board. Our ERM Framework describes the roles and responsibilities of the Integrated Risk Management Council, a cross-functional group of senior enterprise risk leaders, which meets regularly to review and discuss significant risk facing our business, including cybersecurity risk. Our Integrated Risk Management Council, which includes our Chief Information Security Officer (“CISO”), proactively identifies, assesses, and prioritizes key or emerging risks, which are then escalated to senior management as needed and, in the case of cybersecurity risk, reported to our Board’s Nominating, Governance & Sustainability Committee (the “NG&S Committee”) or our full Board . The NG&S Committee is responsible for assisting our Board with respect to designated risk oversight matters, including privacy and cybersecurity. The NG&S Committee receives reports from, and meets at least twice a year and as needed with, the CISO and the Chief Privacy and Digital Officer (“CPDO”). The CISO and the CPDO inform the NG&S Committee, which in turn informs our Board, of risks from cybersecurity threats during such meetings. The NG&S Committee reports to our full Board following each of its regularly scheduled meetings at a minimum and reviews with our Board significant issues or concerns that arise at NG&S Committee meetings. In addition, in February 2025, the CISO and the CPDO reviewed with our Board the cybersecurity and privacy programs, the Data Incident Response Program, and the role of our Board related thereto. Our CISO leads a global cybersecurity organization, which develops our strategic cybersecurity priorities and executes operational plans. Our CISO has over 25 years of cybersecurity experience in the healthcare, finance, and telecommunications industries and in government. Prior to his role at Kenvue, our CISO spent over 10 years at J&J in cybersecurity, and he retired from the United States Air Force Reserves in 2018 as a Lieutenant Colonel, where he had responsibility for cybersecurity. He is a Certified Information Systems Security Professional and holds a Masters in Telecommunications Management from the University of Maryland, University College and a Directorship Certification from the National Association of Corporate Directors. Our CPDO has over 10 years of privacy and digital legal experience. Prior to his role at Kenvue, our CPDO worked for over 15 years in J&J’s Law Department. He also worked as a lawyer in private practice at the law firm Linklaters LLP, in industry associations, and in government, and he acted as Vice Chair of the Consumer Goods Privacy+ Consortium, an association developing compliance strategies and best practices to meet requirements of global privacy laws. He holds a Juris Doctor from Luiss Guido Carli University (Rome, Italy) and a Master of Laws in European Law and Economic Analysis from the College of Europe (Bruges, Belgium). The other members of the cybersecurity organization have decades of experience 48 selecting, deploying, and operating cybersecurity technologies, initiatives, and processes around the world, and rely on threat intelligence as well as other information obtained from governmental, public, or private sources, including external consultants. Notwithstanding our cybersecurity measures, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. For a discussion of cybersecurity risks, see Part I, Item 1A, “Risk Factors-Risks Related to Our Operations-An information security incident, including a cybersecurity breach, or the failure of an information technology or operational technology system owned or operated by us or a third party, could adversely affect us.”

Company Information