Fortune Brands Innovations, Inc. - (FBIN)
10-K Filing Date: February 27, 2024
The Company has an enterprise-wide cybersecurity program that is informed by the U.S. Department of Commerce National Institute of Standards and Technology Cybersecurity Framework. Our cybersecurity program encompasses the following key capabilities: 24x7 security monitoring, next-generation network security, advanced email and endpoint security, a dedicated enterprise cybersecurity team, third-party managed security services, third-party security assessment services, incident response retainer services, and external risk monitoring services. The Company also maintains cybersecurity risk insurance coverage to defray the costs of potential information security breaches.
The Company maintains an incident response plan. Our incident response plan coordinates the actions we take to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to address potentially applicable legal obligations and mitigate brand and reputational damage. Our incident response plan is updated as appropriate in response to changes within our organization or in response to external factors that may impact us. We test our incident response plan by conducting tabletop exercises on an annual basis.
Our associates receive annual cybersecurity training, and we conduct mock phishing campaigns to better enable our associates to recognize phishing emails and other social engineering tactics. We have established reporting processes for our associates if they encounter suspicious activity that may give rise to a cybersecurity incident.
Our cybersecurity risk management and strategy processes are led by our Senior Vice President and Chief Information Officer (“CIO”) and are supported by the Senior Director of Enterprise Cyber Security. These individuals are also supported by both dedicated cybersecurity professionals and third-party security service providers. Our CIO is responsible for leading our technology organization across our global portfolio, which includes ERP, commercial, supply chain, and product development technologies, enterprise architecture, infrastructure, cyber security, technical operations, end-user services, and finance and human resources systems. Our current CIO has over 25 years of experience in information technology matters, and has over a decade of experience at the Company. Our Senior Director of Enterprise Cybersecurity has over 20 years of expanding leadership experience in information technology and 17 years of experience in information security leading and developing security programs. Our CIO provides regular updates on cybersecurity matters to our senior executives. In the event of a cybersecurity incident or incidents, our incident response plan includes detailed processes designed to ensure that information is triaged from our information technology management team to our CIO and to other members of our management team in a timely manner such that senior leadership can assure critical decision support and oversight and otherwise monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents.
Cybersecurity-related risks are assessed as part of the enterprise risk management program. The Audit Committee is responsible for overseeing the Company’s enterprise risk management program. The Audit Committee also oversees the Company's information technology systems and controls, including the cybersecurity program and related risks. Annually, management assesses and ranks the risks identified through the enterprise risk management program according to the likelihood of occurrence and the potential monetary impact, which the Audit Committee reviews. Management also identifies and provides the Audit Committee with quarterly updates on the these risks.
The CIO typically reported twice a year to the Audit Committee with cybersecurity updates. During such updates, the CIO generally covered topics such as data security positions, results from third-party assessments, our incident response plan, and any material cybersecurity threats and developments. In 2023, the CIO reported to the Board of Directors on cybersecurity programs and risk mitigation efforts and enhancements to the incident response plan that were applied in 2023. Starting in 2024, the CIO is scheduled to provide the Audit Committee with cybersecurity updates on a quarterly basis.
17
As part of the above processes, we engage with assessors, consultants, auditors and other third parties, including by (i) engaging third-party managed security services to assist with the operation of certain aspects of our cybersecurity program, (ii) engaging security assessment services to provide assessments on our cybersecurity program, (iii) engaging an incident response retainer service to provide timely cyber incident response support and digital forensics analysis services, (iv) engaging risk monitoring services to help identify emerging cybersecurity risks, and (v) engaging with other information technology and legal subject matter experts to review our cybersecurity program to help identify areas for continued focus, improvement, and/or compliance.
Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including risks to our customer, vendor, and employee data and our systems. We conduct due diligence of third parties’ information security programs, and cybersecurity considerations may inform our selection of third-party service providers. In certain circumstances, including in those where we believe a third party could introduce cybersecurity risk to us, we generally contractually require such third parties to manage their cybersecurity risks. We also receive the results of cybersecurity and data privacy audits conducted on certain vendors to determine if those vendors meet our cybersecurity standards.
We describe the risks that cybersecurity threats, including as a result of any previous cybersecurity incidents, pose to us that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “We may experience delays or outages in our information technology systems and computer networks. We may be subject to breaches of our information technology systems or other cybersecurity incidents, which could damage our reputation and consumer relationships. Failures in our information technology systems and the costs of increasing information security regulation could also subject us to significant financial, legal and operational consequences" included as part of our risk factor disclosures under Item 1A of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein. We have experienced, and will continue to experience, cyber incidents in the normal course of our business. However, to our knowledge, we have not had any cybersecurity incidents in the past three years that have had a material adverse effect on our business, financial condition, results of operations, or cash flows.