Westrock Coffee Co 10-K Cybersecurity GRC - 2025-03-12

Page last updated on March 12, 2025

Westrock Coffee Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-12 16:05:41 EDT.

Filings

10-K filed on 2025-03-12

Westrock Coffee Co filed a 10-K at 2025-03-12 16:05:41 EDT
Accession Number: 0001558370-25-002804

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Material risks of cybersecurity threats are integrated into the Company’s overall risk management program and managed across the Company, utilizing internal and third-party expertise . To protect our information systems from a cybersecurity threat, certain tools have been implemented within our IT network to help prevent, identify, detect, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. The Company also leverages the services and tools of a third-party cybersecurity firm to identify, prioritize, assess, mitigate and remediate reasonably foreseeable cybersecurity risks and threats. To identify, detect and respond to a cybersecurity incident, we conduct proactive cybersecurity reviews of systems and applications, audit applicable data policies, perform penetration testing, perform incident response capability reviews and exercises, conduct annual employee training, monitor emerging laws and regulations related to data protection and information security (including intellectual property) and implement appropriate changes. The Company has implemented a cybersecurity incident response plan that outlines the Company’s process for preparing for a cybersecurity incident, detecting, analyzing, containing, eradicating and recovering from such incident, and provides guidance for post-incident analysis. Additionally, we have established a Cyber Incident Committee that is comprised of leadership across the Company’s finance, legal, accounting, internal audit and IT organizations to provide guidance and monitor overall company cybersecurity. When a cybersecurity incident occurs, the Company prioritizes responding to and containing the threat and minimizing any business impact as appropriate. Each incident is evaluated, to determine the operational and financial significance, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact. An incident that reaches a specific level of severity is reported to the Cyber Incident Committee within pre-determined time frames. In such instance, the Cyber Incident Committee monitors the incident through resolution and post-incident analysis. To date, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, which have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition . For additional discussion of cybersecurity risks or the impact of previous cybersecurity incidents, see Item 1A. Risk Factors " Risks Related to Our Business" in this Annual Report on Form 10-K. Governance The Company’s board of directors is responsible for overseeing the Company’s risk management program and has designated its Audit & Finance Committee with specific responsibility for overseeing cybersecurity risks, among other risks. The Company’s cybersecurity organization is led by our Director of Information Security (“DOIS”), who is responsible for assessing and managing material risks that result from cybersecurity threats, and reports to the Senior Vice President and Chief Information Officer (“CIO”) . The CIO and the Audit & Finance Committee monitor the prevention, detection, mitigation and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes. Our DOIS has nearly a decade of experience within cybersecurity functions and his skillset includes security architecture and engineering, incident response and penetration testing. Our CIO joined the Company in 2023 and most recently served as CIO and VP at another large, publicly-traded organization and has held other vital IT positions over the course of his over 25 year career. The Audit & Finance Committee regularly reviews our cybersecurity program with our CIO and management and reports to the Board of Directors. Cybersecurity reviews by the Audit & Finance Committee generally occur annually, or more frequently as determined to be necessary or advisable. Additionally, on a quarterly basis, members of the Audit & Finance Committee receive updates from our CIO regarding matters of cybersecurity, including, but not limited to, information on new and/or existing cybersecurity risks and management’s response to such risks, cybersecurity and data privacy incidents, if any, and status on key information security initiatives.

Company Information