Utz Brands, Inc. - (UTZ)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management
We maintain a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical information technology systems and information.
Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, incident reporting channels and governance processes as those used in our enterprise risk management. We designed and continue to assess our cybersecurity program based on the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”), which we use as a guide to help us identify, prioritize and manage the cybersecurity risks that could materially affect our business, financial condition or results of operations.
Our cybersecurity risk management program includes a Security Incident Response Plan (“SIRP”). Our SIRP provides the Company with the capability of planning, identifying, containing, and tracking cybersecurity incidents experienced by us or our third party service providers. Our SIRP was established to reduce or minimize the impact of cybersecurity incidents on our networks, IT systems, users or business processes. The execution of our SIRP is led by the Chief Information Officer (“CIO”) in conjunction with our Security Incident Response Team, comprised of network, system administrators and cybersecurity experts, who, in the event of incident, together perform a damage assessment, deliver impact notifications and implement containment procedures depending upon the incident. In addition, we also engage third parties on an as needed basis to assess our cybersecurity practices and procedures.
Our cybersecurity risk management program also includes:
•a multi-layered approach to cybersecurity in order to protect our assets;
•identification of key risk areas through internal reviews and researching trends;
•continuous mitigation in the areas of human behavior, data breaches, remote work, third party vendors, removable media and emerging threats;
•performance of multiple assessments both internal and external;
•quarterly mandatory security training for employees as well as monthly phishing tests; and
•multi-factor authentication.
For the fiscal year ended December 31, 2023, we did not experience any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition.
Cybersecurity Governance
We are committed to protecting our information technology (“IT”) assets and data. This commitment includes the protection of IT assets relevant to our operations, employees, customers and suppliers’ data, intellectual property and our products, among others.
Our Company Board plays a role in overseeing risks associated with cybersecurity threats. The Audit Committee of the Board has been provided specific responsibility for overseeing the Company’s risk management of cybersecurity. The Audit Committee has appointed a member of the Audit Committee to receive certified cybersecurity training so he can provide specialized guidance to the Board and Company.
Periodically throughout the year, the CIO briefs the Audit Committee and Board on cybersecurity activities and long-term cybersecurity strategies, as well as general cybersecurity trends that could have a material impact on the Company. At any time, the Company Board members may raise concerns regarding the Company’s cybersecurity posture and recommend future changes to controls or procedures.
Our Audit Committee is also responsible for the oversight of risks from cybersecurity threats. Our CIO, Chief Financial Officer, and Security Incident Response Team provide regular updates to the Audit Committee of the Company Board on cybersecurity risks. Through these updates, the Audit Committee receives information on the status of key cybersecurity activities such as email phishing, event logging and data encryption, among others. Information regarding relevant cybersecurity training is provided as well.
42
Our CIO leads our management team in assessing and managing our response to cybersecurity threats and incidents. Our CIO has a Bachelor of Technology degree in Computer Science with over 30 years of experience in IT, with over five years managing IT Infrastructure and Security. The primary responsibility of the management team with respect to cybersecurity risk is managing our overall cybersecurity risk management program and supervising both our internal cybersecurity personnel and our retained external cybersecurity consultants, and working with all divisional, manufacturing, and functional teams on cybersecurity issues. The management team’s efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents are enhanced by monthly and quarterly briefings from internal security personnel, by receipt of threat intelligence and other information obtained from governmental, public or private sources, including external consultants, periodic assessments against the NIST CSF and through alerts and reports produced by security tools deployed in our IT environment. In the event a cybersecurity incident rise to the level of a corporate crisis, the management team along with the Security Incident Response Team would engage the Company Board.