INTERNATIONAL FLAVORS & FRAGRANCES INC - (IFF)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY.
Risk Management and Strategy
Our comprehensive Incident Response Plan outlines processes to identify, detect, assess, respond to and recover from threats, including cybersecurity threats. We follow those processes to manage material risks from cybersecurity threats, including risks relating to disruption of business operations or financial reporting systems, intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation/legal risk; and reputational risk, as part of our overall risk management system and processes.
In addition, our Enterprise Risk Management (“ERM”) program considers cybersecurity risks alongside other company risks. Our enterprise risk professionals consult with cross-organizational leaders to gather information necessary to identify cybersecurity risks, evaluate their likelihood and severity, identify necessary mitigations and assess the potential impact of those mitigations on residual risk. Our ERM Committee, chaired by the Chief Financial Officer (“CFO”) and General Counsel (“GC”), and comprised of senior leaders representing each risk domain, integrates global risks, including cybersecurity and compliance, to ensure appropriate prioritization of resources and alignment across the Company. The ERM Committee meets with our Executive Leadership Team and presents at least annually to our Board of Directors on the ERM process and on our risk mitigation actions, including providing reporting focused on compliance and cybersecurity risks.
Our Chief Information Officer (“CIO”) is responsible for delivering on the Company’s global Information Technology (“IT”) strategy, including infrastructure, data and analytics, application delivery, end user services, cybersecurity risk management and the digital technology transformation program. The IT leadership team leads the implementation of the IT strategy and the day-to-day operations. Under the guidance of the CIO, our Chief Information Security Officer (“CISO”) leads Information Security (“InfoSec”), which includes the Cyber Fusion Center, Infrastructure Security, including network segmentation, firewalls and intrusion detection and prevention systems, Identity and Access Management, Application Security, Data Security and InfoSec Governance, Risk and Compliance. InfoSec is overseen by the InfoSec Steering Committee, comprised of senior leaders representing all corporate functions and business units, and the InfoSec Governance Review Board, comprised of the IT leadership team and the InfoSec leadership team. InfoSec is governed in coordination with IFF’s ERM Committee and is aligned to the U.S. National Institute of Standards and Technology (“NIST”) Cybersecurity Framework.
In addition to our dedicated leadership team overseeing InfoSec, we view InfoSec as a shared responsibility, and to best protect our network, computers and data from threats, we empower our employees to be our first line of defense. To that end, all employees globally complete annual mandatory InfoSec training on email security, password security and our Acceptable Use Policy. We use email security, endpoint security, logging and monitoring, remote access, application security and other tools to deter threat actors, block malicious/phishing emails and avoid IT system interruptions.
Our comprehensive InfoSec Incident Response Plan is updated at least annually, and provides guidance for detecting, containing, eradicating and recovering from potential incidents. It outlines escalation procedures, reporting requirements, incident severity levels, a materiality assessment and roles and responsibilities for key partners, including IT, Legal/Employee Relations, Corporate Communications, Human Resources and other senior leaders. Our escalation procedures include escalation to our Executive Leadership Team, Audit Committee, Disclosure Committee, and Board of Directors, and reporting to
30

regulators, customers, investors, and others. We also maintain cybersecurity insurance, regularly evaluate the effectiveness of our systems, and test our contingency plans by conducting vulnerability analysis and tabletop exercises with both technical incident responders and senior leaders.
Based on industry baselines and discussions throughout our membership in various global InfoSec communities, we believe that these preventative actions provide adequate measures of protection against information security breaches/incidents and reduce our cybersecurity risks. Given the evolving nature of InfoSec incidents, we regularly engage with our peers on threat intelligence and collaborate with organizations both in our industry and across industries to share best practices.
In connection with our InfoSec risk management processes, we engage third-party assessors and outside counsel. Our program includes review and assessment by external, independent third parties, who assess and report on our overall InfoSec program and identify areas for continued focus and improvement. Our CIO, CISO and GC oversee our technology risk management and privacy teams, which work in partnership with our Internal Audit team to review IT-related controls as part of the overall internal controls process and regulatory requirements. We consult with outside counsel to advise our team and our Board of Directors on best practices for InfoSec oversight, and the evolution of that oversight over time. InfoSec employees regularly speak at and attend industry events to ensure awareness of evolving threats and innovative prevention and remediation techniques. Further, our InfoSec risk management processes extend to the oversight and identification of threats associated with our use of third-party service providers through relationship due diligence, InfoSec assessments and contractual provisions.
Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents. For more detailed information about risks related to our cybersecurity, refer to Item 1A, “Risk Factors” – “A significant data breach or other disruption to our information technology systems could disrupt our operations, result in the loss of confidential information or personal data, and adversely impact our reputation, business or results of operations.”
Governance
The Board of Directors is responsible for overseeing and reviewing with management the Company’s InfoSec risks and the policies and practices established to manage such risks. In that effort, the Board of Directors delegates certain responsibilities to our Audit Committee. This committee-level focus on InfoSec allows the Board to further enhance its understanding of these issues as it continues to have overall oversight responsibility for risk.
The Audit Committee assists the Board of Directors in its oversight by staying apprised of our InfoSec programs, strategy, policies, standards, architecture, processes and material risks, and by overseeing response to InfoSec incidents. Our Audit Committee receives from management updates, at least quarterly, on material security risks, including any material incidents, relevant industry developments, threat vectors and material risks identified in periodic penetration tests or vulnerability scans. These updates also include material legal and legislative developments concerning InfoSec, our approach to complying with applicable law and material engagement with regulators concerning IT and InfoSec.
The Board of Directors receives regular reports from the Audit Committee which detail (a) InfoSec initiatives, (b) reviews of the policies and practices established to manage these processes, and (c) reviews of the Company’s procedures for monitoring compliance with applicable laws. Additionally, the Board of Directors also receives updates on the Company’s risks through ERM program reports, which include management’s approach to mitigating and managing InfoSec risks.
Members of the Board of Directors stay apprised of the rapidly evolving cyber threat landscape and provide guidance to management, as appropriate, to address the effectiveness of our overall data privacy and cybersecurity program. Recently, members of the Board of Directors and Executive Leadership Team participated in a Cybersecurity Exercise led by our CIO and CISO as training, and, to prepare for incident response. The Board of Directors and Audit Committee also receive regular cybersecurity posture reports from an external third-party, and outside counsel advises the Board of Directors on best practices for the Board’s oversight of InfoSec and the evolution of that oversight over time. Additionally, two members of our Board of Directors and Audit Committee have experience in InfoSec matters.
Our Board of Directors and Audit Committee’s principal role is one of oversight, recognizing that management, led by our CIO and CISO, is responsible for the design, implementation and maintenance of an effective program for identifying, detecting, protecting against, responding to, recovering from and mitigating data privacy and InfoSec risks. Our CIO has more than 30 years of technology experience, including leadership across a variety of enterprise technologies, including InfoSec, and across multiple industries. Our CISO has more than 20 years of experience in InfoSec, across multiple industries, and is a Certified Information Systems Security Professional (CISSP). The CIO and CISO provide, at least, annual updates on IT and InfoSec initiatives to the Board of Directors and quarterly updates to the Audit Committee.


31