SpartanNash Co - (SPTN)
10-K Filing Date: February 28, 2024
Management's Role
The Information Security function is led by the Chief Information Security Officer (CISO), under the direction of the Chief Information Officer (CIO). The Company’s CISO, who was appointed in August 2021, has over 20 years of experience within information security and is both a Certified Information Security Manager and a Certified Information Systems Auditor. Key responsibilities of the Information Security function include developing cybersecurity strategies; managing cybersecurity governance; performing cybersecurity risk assessments; ensuring compliance with security standards and regulatory requirements; managing identity and access; monitoring cybersecurity threats; validating cybersecurity alerts; preparing for and responding to cybersecurity incidents; business continuity and disaster recovery plans; and creating security awareness through periodic trainings of both Company leadership and Associates. The CIO, CISO and the Company’s Chief Legal Officer, who also serves as the Chief Compliance Officer, have oversight responsibilities of the Company’s cybersecurity program.
Board Oversight
The Company’s Board of Directors (Board) has appointed the Audit Committee to assist the Board in fulfilling its responsibilities with respect to the oversight of cybersecurity, data security, privacy programs, and the Company’s response to security breaches. Two Company Directors serving on the Audit Committee completed the National Association of Corporate Directors/Carnegie Mellon CERT cyber-risk oversight program along with required examinations and earned the CERT designation. The CISO provides quarterly updates to the Audit Committee, which include a current evaluation of the Company’s maturity within the National Institute of Standards and Technology (NIST) framework, including assessments against key performance indicators, updates on internal phishing campaigns, tabletop exercises conducted at various levels of the organization, and management training. The Audit Committee also reviews reports and recommendations from third parties periodically engaged by the Company to assess the cybersecurity control environment. In addition, the Company’s internal audit function periodically audits elements of the security program and reports its observations to the CISO and the Audit Committee.
-15-
Risk Management and Strategy
As a component of the Company’s overall risk management process, which is aligned with a broader Enterprise Risk Management framework, the Company has implemented a multi-layered approach to minimize cybersecurity risk and safeguard its data. The Company conducts cybersecurity risk assessments on a regular basis and responds to identified risk exposures by employing a combination of risk mitigation strategies, including the adoption of cybersecurity controls and maintaining a cybersecurity insurance policy that provides coverage for security breaches. The Company engages third party consultants periodically to evaluate elements of the cybersecurity policy, processes, procedures and controls. The CISO and other members of the Executive Leadership Team respond to applicable recommendations arising from the third-party consultants. In addition, the Company engages a Qualified Security Assessor as part of the compliance requirements for Payment Card Industry (PCI). The Company also engages with a third-party risk management provider to ensure its vendors comply with internal security and privacy requirements and that key vendors are continually monitored for security risks. The Company’s cybersecurity governance practices are based on the Company’s common control framework which incorporates elements from the NIST Cybersecurity Framework, the Center for Internet Security’s benchmark standards, and specific regulatory and industry requirements including Health Insurance Portability and Accountability Act and PCI. The CISO provides at least quarterly updates on the cybersecurity program, including the results of the cybersecurity risk assessments and the related responses, to the Company’s Security Governance Council composed of members of the Executive Leadership Team. The Company continually monitors cybersecurity threats and has a dedicated cybersecurity team in place to identify if any of the threats may lead to a cybersecurity incident. In the event of such an incident, the Company will take decisive measures to thoroughly analyze, contain, and eliminate the threat. Following an incident, a comprehensive review is performed to determine whether the incident meets qualitative or quantitative materiality thresholds, and whether the incident warrants public disclosure.
Effect of Cybersecurity Threats
As of the effective date of this filing, the Company is currently not aware of any known or potential cybersecurity threats that are reasonably likely to materially affect the Company’s business strategy, results of operations, or financial conditions. Although the Company believes it has implemented sufficient security measures to protect against cyber-attacks, unknown cyber incidents could materially disrupt the Company’s operations or compromise sensitive information.