Freshpet, Inc. - (FRPT)

10-K Filing Date: February 26, 2024
ITEM 1C. CYBERSECURITY

 

The information technology systems we rely upon to effectively manage our business data, communications, supply chain, order entry and fulfillment, and other business processes are subject to risk from security breaches and other significant disruptions. Such breaches and disruptions may occur through breaches by our personnel or by intrusions over the Internet, malware, computer viruses, attachments to e-mails or by persons with whom we have commercial relationships. While we have not, as of the date of this Form 10-K, experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an incident in the future. See "Item 1A. Risk Factors— We are subject to cyber security risks and may incur increasing costs in an effort to minimize those risks".

 

Our information security organization, led by our Chief Information Officer (our "CIO") who reports to our Chief Financial Officer (our "CFO"), is comprised of both I.T. security leadership and dedicated Cybersecurity staff. The information security organization has extensive technology security and program management experience including cybersecurity professional certifications such as Certified Information Systems Security Professional ("CISSP"), advanced degrees in Information Assurance, and numerous years' experience assessing and managing cybersecurity risk within the Department of Defense and other public companies. Our CIO has over 25 years of technology experience, including leading information governance, I.T. security, and cybersecurity teams and initiatives across both publicly traded companies and global organizations.

 

Our policies, practices, and standards for addressing material risks associated with cybersecurity are integrated into our overall risk management and are based on industry standards including the National Institute of Standards and Technology ("NIST") which aligns the prevention techniques, identification, protection, detection, response, and recovery related to an incident. These controls are tested by our information security organization and by independent third parties. We actively engage with industry groups for awareness of best practices and our third-party provides for industry benchmarking of critical areas within our cybersecurity posture.

 

Our organization-wide information security program focuses on implementing effective and efficient controls, technologies, and other processes to help protect, identify, assess, manage and mitigate material cybersecurity threats and incidents. These processes include, among other things, regular testing of these controls through table-top exercises, penetration and vulnerability testing, auditing of our information security by an independent third-party auditor, ongoing security awareness training for employees and other educational programs, and continuous monitoring of our cybersecurity posture. We also employ numerous tools including, but not limited to, segregated layers of controls for access to our systems and security tools that help identify, isolate, remediate, and recover from identified vulnerabilities and security incidents in a timely manner. Our cybersecurity posture is managed by both our information security organization and through partnerships with industry recognized cybersecurity firms.

 

We have also created, and tested through incident response drills, the Freshpet Incident Response Plan and Playbook, which together set forth policy-level directives as well as specific guidelines for implementation, that describe our process for responding in the event of certain defined cyber incidents. These protocols (i) define the roles and responsibilities of participants, relationships to other Company policies and procedures, and reporting requirements needed during an incident, (ii) provide a framework by which our Incident Response Team (IRT) shall determine the scope and risk of an incident, respond appropriately to that incident, and inform the Board and others depending upon the nature and severity of the incident, and (iii) reduce the likelihood of a similar incident from reoccurring following identification of such an incident.

 

Our CIO and other members of the information security organization routinely engage with our CFO regarding cyber risk management activities and provide updates and data, as needed, to other members of our executive team to facilitate decisions regarding security matters. No less than twice per year, and more frequently as appropriate, our CFO and CIO also provide updates regarding our cybersecurity risk management strategy and related activities to the Audit Committee of our Board of Directors, and provide other information as needed to facilitate the committee's oversight of our cybersecurity risk.

 

 

24