BOSTON BEER CO INC - (SAM)
10-K Filing Date: February 27, 2024
25
The Company faces motivated and persistent cybersecurity threats from a variety of adversaries on a daily basis. As a manufacturing company dispersed across multiple states supported by a global supply chain, the Company recognizes the critical importance of maintaining the safety and security of its networks and systems, as well as ensuring the confidentiality, integrity, and availability of its data. The Company employs a holistic process for overseeing and managing cybersecurity and information security risks which is supported by both management and its Board of Directors.
As described in more detail below, the Company has established policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats. The Company has devoted significant financial and personnel resources to implement and maintain security measures to meet regulatory requirements and customer expectations and intends to continue to make significant investments to maintain the security of its data and cybersecurity infrastructure.
The Company's cybersecurity program is led by its Chief Information Security Officer (CISO), who reports to its Chief Information Officer (CIO). The CISO is responsible for management of cybersecurity risk and the protection and defense of the Company's networks and systems. The CISO manages a team of cybersecurity professionals with broad experience and expertise, including in incident response, forensics, threat intelligence, vulnerability management, and mitigation. The Company's cybersecurity team has processes in place to assess, identify, manage, and address material cybersecurity threats and incidents. These include, among other things: annual and ongoing security awareness training for employees, mechanisms to detect and monitor unusual network and endpoint activity, integrated threat intelligence, and containment and incident response tools. The cybersecurity team also leverages multiple third-party security programs for full-time monitoring of security stacks and on-demand support to act as force multipliers in the event of severe or critical security events.
The Company's Board of Directors has ultimate oversight of cybersecurity risk and aids in making decisions with respect to company priorities, resource allocations, and oversight structures. The Board of Directors is assisted by the Audit Committee, which regularly reviews the cybersecurity program with management and reports to the Board of Directors. Cybersecurity reviews by the Audit Committee or the Board of Directors generally occur at least once annually, or more frequently as determined to be necessary or advisable.
The Company's approach to cybersecurity risk management includes the following key elements:
While the Company has experienced minor cybersecurity incidents in the past, to date none have materially affected the Company or its financial position, results of operations and/or cash flows. The Company continues to invest in the cybersecurity and resiliency of its networks and to enhance its internal controls and processes, which are designed to help protect its systems, infrastructure, and the information they contain.