BOSTON BEER CO INC - (SAM)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity

 

25


 

The Company faces motivated and persistent cybersecurity threats from a variety of adversaries on a daily basis. As a manufacturing company dispersed across multiple states supported by a global supply chain, the Company recognizes the critical importance of maintaining the safety and security of its networks and systems, as well as ensuring the confidentiality, integrity, and availability of its data. The Company employs a holistic process for overseeing and managing cybersecurity and information security risks which is supported by both management and its Board of Directors.

 

As described in more detail below, the Company has established policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats. The Company has devoted significant financial and personnel resources to implement and maintain security measures to meet regulatory requirements and customer expectations and intends to continue to make significant investments to maintain the security of its data and cybersecurity infrastructure.

 

The Company's cybersecurity program is led by its Chief Information Security Officer (CISO), who reports to its Chief Information Officer (CIO). The CISO is responsible for management of cybersecurity risk and the protection and defense of the Company's networks and systems. The CISO manages a team of cybersecurity professionals with broad experience and expertise, including in incident response, forensics, threat intelligence, vulnerability management, and mitigation. The Company's cybersecurity team has processes in place to assess, identify, manage, and address material cybersecurity threats and incidents. These include, among other things: annual and ongoing security awareness training for employees, mechanisms to detect and monitor unusual network and endpoint activity, integrated threat intelligence, and containment and incident response tools. The cybersecurity team also leverages multiple third-party security programs for full-time monitoring of security stacks and on-demand support to act as force multipliers in the event of severe or critical security events.

 

The Company's Board of Directors has ultimate oversight of cybersecurity risk and aids in making decisions with respect to company priorities, resource allocations, and oversight structures. The Board of Directors is assisted by the Audit Committee, which regularly reviews the cybersecurity program with management and reports to the Board of Directors. Cybersecurity reviews by the Audit Committee or the Board of Directors generally occur at least once annually, or more frequently as determined to be necessary or advisable.

 

The Company's approach to cybersecurity risk management includes the following key elements:

 

Multi-Layered Defense and Continuous Monitoring. The Company works to protect its computing environments and products from cybersecurity threats through multi-layered defenses and apply lessons learned from its defense and monitoring efforts to proactively prevent future attacks. The Company utilizes best-in-class SIEM technologies, data analytics and threat intelligence to detect anomalies and search for cyber threats. The Company's internal cybersecurity team and third-party security services provide comprehensive cyber threat detection and response capabilities and maintain a full-time monitoring system which complements the technology, processes and threat detection techniques we use to monitor, manage and mitigate cybersecurity threats. From time to time, the Company engages third-party consultants or other advisors to assist in assessing, identifying and/or managing cybersecurity threats and also periodically uses its Internal Audit function to conduct additional reviews and assessments.
Third-Party Risk Assessments. The Company conducts information security assessments before sharing or allowing the hosting of sensitive data in computing environments managed by third parties, and its standard terms and conditions contain contractual provisions requiring certain security protections.
Training and Awareness. The Company conducts monthly attack simulations across the Company and provide awareness training to our coworkers to help identify, avoid and mitigate cybersecurity threats. Employees with network access participate annually in required training, including spear phishing, malware, access control, and other awareness training. The Company also periodically hosts tabletop exercises with management and other employees to practice rapid cyber incident response;
Supplier Engagement. The Company requires its suppliers to comply with its standard information security terms and conditions as a condition of doing business, and requires them to complete information security questionnaires to review and assess any potential cyber-related risks depending on the nature of the services being provided. The Company also monitors supplier network access to its networks and systems.

 

While the Company has experienced minor cybersecurity incidents in the past, to date none have materially affected the Company or its financial position, results of operations and/or cash flows. The Company continues to invest in the cybersecurity and resiliency of its networks and to enhance its internal controls and processes, which are designed to help protect its systems, infrastructure, and the information they contain.