Westrock Coffee Co - (WEST)
10-K Filing Date: March 15, 2024
Risk Management and Strategy
Material risks of cybersecurity threats are integrated into the Company’s overall risk management program and managed across the Company, utilizing internal and third-party expertise. To protect our information systems from a cybersecurity threat, certain tools have been implemented within our IT network to help prevent, identify, detect, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. The Company also leverages the services and tools of a third-party cybersecurity firm to identify, prioritize, assess, mitigate and remediate reasonably foreseeable cybersecurity risks and threats.
To identify, detect and respond to a cybersecurity incident, we conduct proactive privacy and cybersecurity reviews of systems and applications, audit applicable data policies, perform penetration testing, perform incident response capability reviews and exercises, conduct employee training, monitor emerging laws and regulations related to data protection and information security (including intellectual property) and implement appropriate changes. The Company has implemented a cybersecurity incident response plan that outlines the Company’s process for preparing for a cybersecurity incident, detecting, analyzing, containing, eradicating and recovering from such incident, and provides guidance for post-incident analysis. Additionally, we have established a Cyber Incident Committee that is comprised of leadership across the Company’s finance, legal, accounting, internal audit and IT organizations to provide guidance and monitor overall company cybersecurity.
When a cybersecurity incident occurs, the Company prioritizes responding to and containing the threat and minimizing any business impact as appropriate. Each incident is evaluated, to determine the operational and financial significance, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact. An incident that reaches a specific level of severity is reported to the Cyber Incident Committee within pre-determined time frames. In such instance, the Cyber Incident Committee monitors the incident through resolution and post-incident analysis.
For a discussion of cybersecurity risks or the impact of previous cybersecurity incidents and how they have materially affected us or are reasonably likely to materially affect the Company, including its business strategy, results of
25
operations or financial condition, see Item 1A. Risk Factors “Risks Related to Our Business”, which are incorporated by reference into this Item 1C.
Governance
The Company’s board of directors is responsible for overseeing the Company’s risk management program and has designated its Audit & Finance Committee with specific responsibility for overseeing cybersecurity risks, among other risks. The Company’s cybersecurity organization is led by our Director of Information Security (“DOIS”), who is responsible for assessing and managing material risks that result from cybersecurity threats, and reports to the Senior Vice President and Chief Information Officer (“CIO”). The CIO and the Audit & Finance Committee monitor the prevention, detection, mitigation and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including regular communication with our DOIS and regular communication with and reporting from an outsourced third party cybersecurity firm and operation of the Company’s cybersecurity incident response plan, which includes escalation to the Cyber Incident Committee.
Our DOIS has nearly a decade of experience within cybersecurity functions and his skillset includes security architecture and engineering, incident response and penetration testing. Our CIO joined the Company in 2023 and most recently served as CIO and VP at another large organization where he built a high-performing, global, collaborative IT team to focus on digitization, M&A, analytics and cybersecurity and has held other vital IT positions over the course of his career.
The Audit & Finance Committee regularly reviews our cybersecurity program with our CIO and management and reports to the Board of Directors. Cybersecurity reviews by the Audit & Finance Committee generally occur annually, or more frequently as determined to be necessary or advisable. Additionally, on a quarterly basis, members of the Audit & Finance Committee receive updates from our CIO regarding matters of cybersecurity, including, but not limited to, information on new and/or existing cybersecurity risks and management’s response to such risks, cybersecurity and data privacy incidents, if any, and status on key information security initiatives.