SMITHFIELD FOODS INC 10-K Cybersecurity GRC - 2025-03-25

Page last updated on March 25, 2025

SMITHFIELD FOODS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-25 08:00:04 EDT.

Filings

10-K filed on 2025-03-25

SMITHFIELD FOODS INC filed a 10-K at 2025-03-25 08:00:04 EDT
Accession Number: 0000091388-25-000017

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY DISCLOSURE Risk Management and Strategy We acknowledge the significance of cybersecurity in protecting our operations, data, and shareholders’ interests, and have made cybersecurity a fundamental component of our overall risk management framework. Our cybersecurity program is based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. This framework guides our efforts to protect critical assets, identify potential threats, respond to incidents, and strengthen resilience, while simultaneously allowing us to assess and enhance the maturity of our program. The cybersecurity program is informed by our Enterprise Risk Management (“ERM”) process and relies on internal and external expertise. We proactively evaluate and refine our security controls by utilizing best practices and threat intelligence to mitigate cyber risks. The Company also utilizes third parties for some cybersecurity services, including managed security services, external penetration testing, and social engineering tests. Additionally, we maintain an incident response plan that aligns with industry standards to ensure timely detection, containment, and remediation of security incidents. Cybersecurity Program Components Our cybersecurity program includes a focus on governance, process, technology and people. Key components include prevention, detection, and response capabilities, employee training programs, threat intelligence monitoring, and the implementation of an array of technologies. For example, to effectively manage cybersecurity risks, we maintain an asset inventory and classify critical systems to ensure appropriate protection measures. Our risk management processes include regular assessments of internal and third-party risks, which are aligned with our ERM strategy. We enforce cybersecurity policies, standards, and governance practices, ensuring they align with regulatory requirements and industry best practices. Additionally, we conduct periodic business impact analyses to strengthen resilience and inform risk-based decision-making. The cybersecurity program incorporates multiple layers of security controls to safeguard our systems and data. Access controls are established based on the principle of least privilege, and all employees engage in cybersecurity 54 awareness training to cultivate a security-conscious culture. We train our employees through periodic security training, phishing simulations and regular communications about timely security topics to enhance their understanding of cybersecurity threats and their ability to identify and escalate potential cybersecurity events. We maintain robust security configuration management and regularly update systems to minimize vulnerabilities. Investments in security technology include vulnerability management tools, malicious software protection, email security, and around-the-clock monitoring. Our cybersecurity team continuously monitors network activity using advanced threat detection tools. Through automated alerts, behavioral analytics, and threat intelligence, security anomalies are identified in a timely manner. Routine vulnerability scanning and independent penetration testing further enhance our ability to detect weaknesses before they can be exploited. We have an established incident response plan that aligns with NIST guidelines, ensuring a structured approach to identifying, containing, eradicating, and recovering from security incidents. The plan includes defined escalation procedures to engage executive leadership and regulatory authorities as necessary. Our cybersecurity team conducts regular incident response exercises to enhance response readiness. Additionally, we have a process in place to perform post-incident reviews to refine processes and prevent recurrence. Recovery strategies are in place and supervised by a crisis management plan to restore critical operations following a cybersecurity event. We maintain secure, redundant backups and regularly test them for integrity and availability. Our recovery strategies prioritize minimizing downtime and rapid service restoration. We strive to incorporate lessons learned from past incidents, strengthening our resilience against future threats. Third-party risk management is a critical component of IT risk management. We evaluate new vendors before onboarding to identify and manage potential risks and establish contractual requirements for security controls and notification. We also strive to monitor emerging risks associated with those third-party service providers. Assessment of these providers includes completing a standardized questionnaire and conducting risk evaluations for financial, reputational, information security, cybersecurity, and business resiliency risks. Impact of Cybersecurity Risks and Threats While some of the Company’s third-party service providers have experienced cybersecurity incidents and the Company has experienced threats to its data and systems, as of the date of this report, the Company’s management is not aware of any cybersecurity threats or incidents that have materially affected its business strategy, results of operations, or financial condition . While we remain vigilant, there can be no guarantee that we will not be the subject of future threats or incidents. Additional information on cybersecurity risks we face can be found in “Item 1A. Risk Factors-Risks Relating to Our Business and Operations-We are increasingly dependent on information technology, and our business and reputation could suffer if we are unable to protect our information technology systems against, or effectively respond to, cyberattacks, other cyber-incidents or security breaches or if our information technology systems are otherwise disrupted,” which should be read in conjunction with the foregoing information. Governance Board of Directors and Audit Committee Our Board of Directors has delegated oversight of the Company’s ERM program, including cybersecurity, to the Audit Committee. The Audit Committee receives updates from our Senior Vice President, Information Technology (“SVPIT”) and members of our Information Technology Security Services Department regarding our enterprise-wide cybersecurity programs at least on a quarterly basis. These updates may address data management and security initiatives, significant existing and emerging cybersecurity risks, and any material cybersecurity incidents and their impact on the Company and its stakeholders. Management 55 The Company’s management is responsible for identifying, assessing, and managing the Company’s exposure to cybersecurity risk. The Company has an internal team that is supported by security technologies, third-party experts, and threat intelligence resources in support of cybersecurity risk reduction. Our SVPIT oversees the team responsible for leading the enterprise-wide information technology strategy, policy, standards, architecture, and processes. This team includes our Information Technology Security Services Department and incorporates input from personnel from different functions, levels, and operating regions to support a high level of visibility and accountability throughout the company and to incorporate multiple vantage points on risks and potential mitigations. Our cybersecurity team also includes our Cybersecurity Operations Center, which is comprised of cybersecurity professionals and is responsible for the detection, analysis, and response to cybersecurity events, including threats and incidents, and is overseen by the Director of Cybersecurity Operations. Our Information Technology Security Services Department is responsible for overseeing the execution of cybersecurity strategy and maturing the Company’s cybersecurity posture. Our SVPIT has over 20 years of experience in the IT industry, including change management, cybersecurity, and enterprise architecture. The Information Technology Security Services Department has extensive experience in cybersecurity, including graduate degrees in information security and Certified Information Security Systems Professional certifications.

Company Information