WK Kellogg Co 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

WK Kellogg Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 17:03:34 EST.

Filings

10-K filed on 2025-02-25

WK Kellogg Co filed a 10-K at 2025-02-25 17:03:34 EST
Accession Number: 0001628280-25-007817

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy. The Company manages cybersecurity risk as part of our overall enterprise risk management strategy, overseen by the Audit Committee and the Board of Directors. The Company has developed an information security program to address material risks from cybersecurity threats. The program includes processes identifying how security measures and controls are developed, implemented, and maintained. Our cybersecurity processes align with the National Institute of Standards and Technology (NIST CSF) Framework. The Company conducts regular risk assessments on systems and applications to help detect potential risks, threats, and vulnerabilities. Additionally, annual assessments are conducted to evaluate the effectiveness of controls. Risk assessment, risk-based analysis, and judgment are used to select security controls to address risks. During this process, the following factors, among others, are considered: likelihood and severity of risk, impact on the Company and others if a risk materializes, feasibility and cost of controls, and impact of controls on operations and others. Several controls are employed to differing extents, encompassing but not restricted to endpoint threat detection and response (EDR), identity and access management (IAM), privileged access management (PAM), logging and monitoring utilizing security information and event management (SIEM), multi-factor authentication (MFA), firewalls, intrusion detection, and prevention, as well as vulnerability and patch management. 34 Third-party security firms are used in different capacities to provide or operate some of these controls and technology systems . For example, third parties conduct assessments, such as vulnerability scans, penetration testing, and overall risk assessments, and third-party tools are utilized to identify potential vulnerabilities. The Company employs a variety of processes to address cybersecurity threats related to third-party technology and services, including privacy, solution and vendor risk assessments, imposition of contractual obligations, and performance monitoring. The Company also currently relies on services provided by Kellanova, under the Transition Service Agreement. To support our preparedness, the Company has a written incident response preparedness plan that we update as business needs and the security landscape change. In the event of a cybersecurity incident, our incident response team refers to the plan, and the Company conducts tabletop exercises to enhance incident response preparedness. The plan sets out clear response procedures on how to define roles, categorize incidents, determine materiality, record responses, comply with regulatory standards, assist in public disclosure, and defines the process for assessing impact for materiality purposes. It is designed to enable a prompt, uniform, and efficient strategy to reduce the financial, operational, legal, and reputational risks associated with cybersecurity incidents. Business continuity and disaster recovery plans are used to prepare for the potential disruption of technology we rely on. The Company has implemented a user awareness program to enhance cybersecurity measures. These include phishing, malware, data handling, device security, cybersecurity education, password security, internet browsing and defenses to physical threats. As part of our overall risk mitigation strategy, the Company also maintains cyber insurance coverage; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyberattacks and other related breaches. The Company (or third parties it relies on) may not be able to fully, continuously, and effectively implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine the security controls to implement, and it is possible we may not implement appropriate controls if we do not recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate risks and events, when detected by security tools or third parties, may not always be immediately understood or acted upon. For further discussion of these risks, see “Risk Factors-Risks Related to Our Intellectual Property and Technology-Technology failures, cyber-attacks, privacy breaches or data breaches could disrupt our operations or reputation and negatively impact our business.” Governance The Company has a Governance, Risk, and Compliance (GRC) IT function to address enterprise risks; cybersecurity is a category handled by that function. Cybersecurity is a vital pillar within a comprehensive risk management framework, fostering cross-functional collaboration to fortify organizational resilience against digital threats. The Company has a privacy and security governance committee. The company operates a privacy and security governance committee and a cybersecurity team led by a Chief Information Security Officer . With cybersecurity experience across IT services, Telecom, and Manufacturing sectors, the Chief Information Security Officer spearheads cybersecurity risk and strategy and directly reports to the Chief Information Officer . Additionally, as part of our overall enterprise risk management strategy, our Audit Committee, which consists solely of independent directors, oversees cybersecurity and receives updates from the Chief Information Security Officer on a periodic basis on cybersecurity matters, which include a review of potential digital threats and vulnerabilities, cybersecurity priorities, and our cybersecurity framework. As of February 25, 2025, we are not aware of any material cybersecurity incidents that impacted the Company or are reasonably likely to impact the Company materially. There have been instances of unauthorized access to company assets, including both those managed directly by the Company and those managed by vendors or stored in vendor systems containing company information. These systems have also been, and will likely continue to be, vulnerable to threats such as computer viruses, malware, malicious code, social engineering attacks, unauthorized access attempts, password theft, physical breaches, employee errors, misconduct, and cyber or phishing attacks. For a more detailed discussion of our cybersecurity risks, see “Risks Related to Our Intellectual Property and Technology - Technology failures, cyber-attacks, privacy breaches or data breaches could disrupt our operations or reputation and negatively impact our business.” 35

Company Information