ALTRIA GROUP, INC. - (MO)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
We rely extensively on information technology, much of which is managed by third-party service providers (such as cloud data service providers), to support a variety of business processes and activities, including: complying with regulatory, legal, financial reporting and tax requirements; engaging in marketing and e-commerce activities; managing and improving the effectiveness of our operations; researching, developing, manufacturing and distributing our products; collecting and storing sensitive data and confidential information; and communicating with employees, investors, suppliers, trade customers, adult tobacco consumers and others. Recognizing the critical importance of cybersecurity in today’s digital landscape, we are committed to safeguarding our information assets, protecting consumer
13

data and maintaining the integrity and availability of our systems. Accordingly, we have implemented an extensive cybersecurity risk management framework designed to identify, assess, mitigate and prevent potential cybersecurity risks and to align with industry best practices and all applicable regulatory requirements. We evaluate our cybersecurity risk management framework against the National Institute of Standards and Technology’s Cybersecurity Framework, which outlines the core components and responsibilities necessary to sustain a healthy and well-balanced cybersecurity program. We also align our security standards for infrastructure configuration with the Center for Internet Security’s Benchmarks, which are prescriptive recommendations based upon the consensus of global cybersecurity experts.
Our framework is built around the following key principles: (i) risk assessment and threat intelligence; (ii) security controls; (iii) incident response; (iv) employee awareness and training; and (v) third-party risk management. We have integrated our cybersecurity framework into our broad enterprise risk management processes, which allows us to leverage our existing enterprise-wide experience in managing risk and adapting to change in the cybersecurity threat landscape.
Risk Assessment and Threat Intelligence: We conduct regular risk assessments to identify potential cybersecurity vulnerabilities and threats. Our Information Technology (“IT”) Risk Management function, overseen by our Chief Information Security Officer (“CISO”), leads internal self-assessments, which involve evaluating the security posture of critical systems, networks and applications as well as the potential impact of cybersecurity threats on our business operations, financial condition and reputation. IT Risk Management also conducts ongoing threat monitoring and has implemented monitoring systems, including technologies such as intrusion detection systems, security information and event management tools and threat intelligence programs.
We regularly engage third-party consulting services to conduct audits and assessments of the effectiveness of our cybersecurity controls and processes and identify areas for improvement based on developments in industry best practices. We also leverage third parties to evaluate our cybersecurity and risk management strategy, review policies and procedures to address new risks and maintain ongoing compliance with evolving legal and regulatory requirements. For example, we partner with leading global security providers to leverage various threat intelligence channels as input to monitor and tune our controls to prevent a cybersecurity attack.
Security Controls: We employ a layered approach to cybersecurity, implementing a range of technical and procedural controls to protect critical systems and data. These controls include (i) firewalls and intrusion detection and prevention systems to monitor and block unauthorized access attempts, detect and prevent malicious activity and safeguard network infrastructure, (ii) encryption, including secure protocols and multi-factor authentication, to protect information in transit and at rest and (iii) secure network architecture that segregates critical systems from the public internet, limiting exposure to potential threats. We also conduct regular security patching to manage emerging cyber threats.
Incident Response: We have established an incident response plan and playbooks, which include procedures designed to respond to and recover from cybersecurity incidents. These procedures, which our IT Risk Management function reviews on an ongoing basis both internally and with third-party consultants, provide detailed descriptions of the roles and responsibilities of key stakeholders and the procedures for communication and coordination during an incident. The procedures also provide guidelines for escalating information to senior management, our Disclosure Controls Committee, our Audit Committee, which, as discussed below, has been delegated responsibility for our Board’s cybersecurity risk oversight function, and our full Board and for providing timely public disclosure, when necessary.
To maintain incident readiness and resilience, we conduct periodic disaster recovery exercises and cybersecurity incident management exercises led by our IT Risk Management function. These exercises involve simulating various scenarios and testing our response strategies, allowing us to identify vulnerabilities, refine procedures and enhance our overall crisis management and recovery capabilities. We believe regular practice and evaluation allows us to minimize the impact of potential disruptions and safeguard our operations, data and reputation.
Employee Awareness and Training: We recognize that employees play a critical role in maintaining a strong cybersecurity posture. Our Information Governance Policy sets forth the requirements for employee conduct relating to company information and company-managed devices, including relevant privacy, data security and data retention policies. We believe that our Information Governance Policy is aligned with industry best practices and applicable legal and regulatory requirements. In addition to our Information Governance Policy, we conduct regular cybersecurity training programs emphasizing the importance of cybersecurity awareness. These programs address relevant cybersecurity topics, such as common cybersecurity threats, phishing awareness and best practices for safeguarding sensitive information. Employees are held accountable for completing all assigned cybersecurity programs and meeting certain performance thresholds in phishing awareness exercises, and there is a range of consequences for underperformance that includes termination.
Third-Party Risk Management: We acknowledge the potential cybersecurity risks inherent in our relationships with third-parties. Accordingly, we have implemented a third-party risk management program to identify and oversee such risks. This program relies on key elements including risk assessment, due diligence, contractual provisions and ongoing monitoring to identify and mitigate impacts from high-risk third-parties and of specific risks. We use security risk assessment questionnaire tools to identify high-risk third-parties, allowing us to effectively assess and mitigate potential security vulnerabilities.
14

Our third-party risk assessment framework evaluates the cybersecurity practices and controls of third-parties. For high-risk third-parties, we perform rigorous due diligence inquiries, reviewing documentation with respect to their security policies, incident response capabilities, data protection measures and regulatory compliance. We also review evidence of cybersecurity certifications and the results of independent audits. For high-risk third-parties with access to sensitive data or systems, we conduct more in-depth assessments. Our contracts with high-risk third-parties contain provisions related to data protection, confidentiality, incident reporting and compliance with all applicable laws and regulations. Throughout our engagements with high-risk third-parties, we maintain a monitoring program with respect to their cybersecurity posture. Leveraging tools such as security questionnaires, security ratings and external threat intelligence, we regularly review and update third-party risk assessments based on changes in the third-party’s services or practices and the risk landscape.
Governance
Our Board devotes significant time and attention to our cybersecurity and information technology risks. Our Board executes its cybersecurity risk oversight function as a whole and by delegating responsibility to our Audit Committee. Our CISO and Chief Information Officer present to our Board annually and to our Audit Committee at least twice each year on a broad range of topics, such as recent and potential cybersecurity threats and incidents across our industry, best practices and policies, emerging trends, vulnerability assessments and management’s ongoing efforts to prevent, detect and address internal and external cybersecurity threats specific to us. These briefings also include periodic third-party cybersecurity program assessments and benchmarks and updates from our cybersecurity incident management exercises. Cybersecurity risks are documented in an IT Risk Dashboard, which is shared with our Audit Committee for awareness several times each year. Our full Board also has access to these materials. Finally, we provide periodic cybersecurity training to our Audit Committee and Board to further cybersecurity awareness and risk oversight.
While our Board and Audit Committee oversee cybersecurity risk, senior management is responsible for actively managing cybersecurity risk, including by overseeing and executing the risk management strategies discussed above. Our Risk Oversight Committee, which is chaired by our Chief Compliance Officer and comprised of members of senior management, including our Chief Financial Officer, Chief Operating Officer, Chief Strategy and Growth Officer and General Counsel, oversees the management of key enterprise risks, including cybersecurity risks. Senior management reports annually to the Board with respect to our overall enterprise risk management processes. Our CISO presents to the Risk Oversight Committee quarterly to review the status of management’s key cybersecurity risk management strategies. The Risk Oversight Committee also receives the quarterly IT Risk Dashboard.
Our CISO is responsible for assessing and managing cybersecurity risks and maintaining our cybersecurity program. Our CISO has over 20 years of experience, including five years as our CISO, managing technology risks across multiple industries, including financial services, technology and manufacturing. Through strategic hiring and internal development, our CISO increases the levels of skill and experience on our IT Risk Management team to stay ahead of evolving cybersecurity threats. As of the date of this filing, 94% of our IT Risk Management team has technical industry certification, and members of the IT Risk Management team have an average of 15 years of cybersecurity experience. Our CISO currently serves as an advisor to multiple industry groups. Our cybersecurity program undergoes an annual controls effectiveness assessment and bi-annual program maturity evaluation against industry peers and consistently receives assessments indicating that it is ahead of the cybersecurity programs of our peer group.
As of the date of this filing, we are not aware of any current cybersecurity threats or cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business, results of operations or financial condition. For further discussion of the risks related to cybersecurity, see Item 1A. Risk Factors - Risks Relating to Our Business - Information Technology and Data Privacy Risks.