Primo Water Corp /CN/ - (PRMW)
10-K Filing Date: February 28, 2024
ITEM 1C.CYBERSECURITY
Cybersecurity Risk Management, Strategy and Governance
The Company maintains a robust cybersecurity infrastructure to safeguard our operations, networks and data through comprehensive security measures including our technology tools, internal management and external service providers.
The Company’s Global Chief Information Security Officer (“CISO”) is responsible for assessing, identifying, and managing the risks from cybersecurity threats. This individual has over 30 years of experience in information security positions. Our CISO holds the Certified Information Security Manager and Certified Information Systems Security Professional certifications from ISACA and ISC2, respectively, two leading independent cybersecurity associations.
Our Board of Directors, primarily through the Audit Committee, oversees management's approach to managing cybersecurity risks. The Audit Committee holds periodic discussions with management regarding the Company’s guidelines and policies with respect to cybersecurity risks and receives regular reports regarding such risks and the steps management has taken to monitor and control any exposure resulting from such risks. Our CISO also leads an annual review and discussion with the full Board of Directors dedicated to Primo’s cyber risks, threats, and protections and provides updates throughout the year, as warranted.
We have processes and a risk-based approach that align with the National Institute of Standards and Technology Cybersecurity Framework. Our information security program includes, among other aspects, vulnerability management, antivirus and malware protection, encryption and access control, and employee training. The CISO reviews emerging threats, controls, and procedures as part of assessing, identifying, and managing risks. This review aids in the identification of material breaches at other companies, including our third-party service providers. The CISO also discusses trends in cyber risks and our strategy to defend our information against cybersecurity incidents with our Audit Committee and executive leadership team on a regular basis, in addition to the annual review and discussion with the full board.
In addition to our dedicated information security and technology teams monitoring our daily operations, we engage independent third-party cybersecurity providers for managed systems security, endpoint detection and response, and threat and vulnerability management. Regular communication with these providers aids in the identification and remediation of potential threats, and we regularly review our relationships with and services from these providers against industry standards and evolving cybersecurity threats.
We also endeavor to apprise employees of emerging risks and require them to undergo annual security awareness trainings and supplemental trainings as needed. All employees undergo annual training and there are additional trainings for certain roles and functions. Additionally, we conduct periodic internal exercises to gauge the effectiveness of the trainings and assess the need for additional training.
Material cybersecurity incidents are required to be reported to the Board of Directors and to the SEC on Form 8-K. Our systems and services are vulnerable to interruptions or other failures resulting from cybersecurity attacks, such as computer viruses, ransomware, phishing, hackers, or other security issues. In addition, the rapid evolution and increased adoption of new technologies, such as artificial intelligence, may intensify our cybersecurity risks. An interruption or cybersecurity breach, disruption or misuse of our information systems, or the information systems of our third-party service providers, could have a material negative effect on our business, financial condition and results of operations but we have processes in place to mitigate these risks. As of the date of this report, we have not experienced material business disruption, monetary loss, and/or data loss as a result of phishing, business email compromise or other types of attacks.
24