Kenvue Inc. - (KVUE)
10-K Filing Date: March 01, 2024
Item 1C. CYBERSECURITY
Risk Management and Strategy
Our process for assessing, identifying and managing material risks from cybersecurity threats is integrated into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. Our cybersecurity organization continually evaluates and addresses cybersecurity risk in alignment with our business objectives. We employ automation, and we also engage our internal audit function and a range of external consultants and other expert third parties in connection with the evaluation and management of cybersecurity risk and the maturation of our cybersecurity program.
Our cybersecurity organization assesses and manages cybersecurity risk through technical, physical and administrative controls, including implementing cybersecurity policies, procedures and strategies, with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while increasing our system resilience in an effort to minimize business impact should an incident occur. The underlying controls of the cybersecurity risk management program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology Cybersecurity Framework. In addition, we maintain a Data Incident Response Program, which is designed to identify, assess, manage and report significant data incidents, including those reasonably likely to affect our business strategy, results of operations or financial condition. The Data Incident Response Program outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas, senior management, and the Company’s disclosure committee or a sub-committee thereof as appropriate. The disclosure committee or a sub-committee thereof will consider the materiality of an incident elevated by the Data Incident Response Program, inform the Board and other key stakeholders as appropriate, and determine the Company’s reporting obligation on a timely basis.
We rely heavily on our supply chain to deliver our products to our customers and consumers, and a cybersecurity incident at a supplier or partner could materially adversely impact us. As such, we have processes in place to oversee and identify risks from cybersecurity threats associated with suppliers and our use of third-party service providers, including through our Supplier Cyber Risk Assessment process, which assesses third-party cybersecurity controls through a combination of risk assessment questionnaires, commercially available risk data and proprietary algorithms. We also include security and privacy addendums to our contracts where applicable. We require that our suppliers and partners report cybersecurity incidents to us so that we can assess the impact of such an incident on us and have dedicated processes to respond to cybersecurity incidents at third parties.
Risks from cybersecurity threats did not materially affect our results of operations or financial condition during the period covered by this filing.
Governance
Cybersecurity related risks are one of the key risks contemplated by our Enterprise Risk Management (“ERM”) Framework. The ERM Framework informs our strategic planning activities through a collaborative risk management environment that proactively identifies and prioritizes our strategic, preventable, and external risks (including new or changing regulations). The ERM Framework enables a clear understanding of the top risks and the exposure they have to our performance and strategic decisions. The ERM Framework is reviewed annually as part of a risk assessment that is presented to our Board.
Our ERM Framework describes the roles and responsibilities of the Integrated Risk Management Council, a cross-functional group of senior enterprise risk leaders, which meets regularly to review and discuss significant risk facing our business, including cybersecurity risk. Our Integrated Risk Management Council, which includes our Chief Information Security Officer (“CISO”) proactively identifies, assesses and prioritizes key or emerging risks, which are then escalated to senior management as needed and, in the case of cybersecurity risk, reported to the Nominating Governance & Sustainability Committee or our full Board.
The Nominating, Governance and Sustainability Committee of our Board (the “NG&S Committee”) is responsible for assisting the Board with respect to designated risk oversight matters, including privacy and cybersecurity. The NG&S Committee receives reports from, and meets at least twice a year and as needed with, the CISO and the Chief Privacy Officer. The CISO and the Chief Privacy Officer inform the NG&S Committee, which in turn informs our Board, of risks from cybersecurity
57
threats during such meetings. The NG&S Committee reports to our full Board following each of its regularly scheduled meetings at a minimum and reviews with our Board significant issues or concerns that arise at NG&S Committee meetings.
Our cybersecurity organization is led by our CISO. Our CISO leads a global team to develop our strategic cybersecurity priorities and execute operational plans. He has over 25 years of cybersecurity experience in the healthcare, finance and telecommunications industries and in government. Prior to his role at Kenvue, our CISO spent over ten years at J&J in cybersecurity, and he retired from the United States Air Force Reserves in 2018 as a Lieutenant Colonel, where he had responsibility for cybersecurity. He is a Certified Information Systems Security Professional and holds a Masters in Telecommunications Management from the University of Maryland, University College. The members of the cybersecurity organization have decades of experience selecting, deploying, and operating cybersecurity technologies, initiatives, and processes around the world, and rely on threat intelligence as well as other information obtained from governmental, public or private sources, including external consultants.
Notwithstanding our cybersecurity measures, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. For a discussion of cybersecurity risks, see Item 1A, “Risk Factors —Risks Related to Our Operations—An information security incident, including a cybersecurity breach, or the failure, interruption, breakdown, invasion, corruption, destruction, or breach of an information technology system owned or operated by us or a third party, could adversely affect our business, results of operations or financial condition.”