ACCO BRANDS Corp - (ACCO)
10-K Filing Date: February 23, 2024
Risk Management and Strategy
The Company recognizes the importance of maintaining cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. Our cybersecurity risk management is included within our overall enterprise risk management program.
We have implemented a risk-based cybersecurity program to identify, assess, prioritize and manage risks from cybersecurity threats. Our efforts are designed to maintain the confidentiality, integrity and availability of our information and operational technology systems and data stored on those systems. In general, we seek to address cybersecurity risks through a risk-based, cross-functional approach that is focused on preserving the confidentiality, security and availability of our information and information systems, and to mitigate and respond effectively to cybersecurity incidents and threats. As appropriate, the Company engages external parties, including consultants, legal counsel and audit firms to enhance its cybersecurity oversight and assist with incident response. Our cybersecurity program includes:
Technical Safeguards
We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and endpoint detection and response systems, regular monitoring and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.
Security Policy and Requirements
We have an Information Security Policy that details the overall risk-based framework and governance for the management and security of our information technology assets and information. The policy applies to everyone who accesses our data or information resources, including third parties we engage.
Cybersecurity Roadmap and Risk Assessment
We have a cybersecurity roadmap, which was first implemented in 2020, that provides a framework for prioritizing and managing our ongoing cybersecurity program. We conduct periodic risk assessments based on the National Institute of Standards and Technology ("NIST") cybersecurity framework to identify and assess our cybersecurity risks, vulnerabilities and information security maturity assessments to evaluate the maturity stage of the overall cybersecurity program. The results of these assessments are reported to the Audit Committee of the Board and we adjust our cybersecurity roadmap, policies, processes and practices as necessary based on the information provided by these assessments as well as the monitoring, testing and auditing noted below.
Incident Response and Recovery Planning
We have an established incident response and recovery plan based on the NIST cybersecurity framework. The plan specifies the process for identifying, classifying, documenting and responding to cybersecurity incidents, including escalation protocols to ensure the involvement of our executive leadership, including our CEO, CFO, CIO and General Counsel so that decisions regarding the public disclosure and reporting of any incident can be made by executive management in a timely manner.
19
Third-Party Risk Management
We use a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors and service providers, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.
Monitoring Testing and Auditing
We monitor the evolving cybersecurity landscape that could result in new or increased cybersecurity threats. We also engage in the periodic assessment and testing of our policies, standards, processes and practices. These efforts include audits, vulnerability and penetration testing, table-top exercises, social engineering campaigns and other internal and external assessments. We evaluate the effectiveness of our information technology-related internal controls annually.
Education and Awareness
The Company also regularly conducts mandatory cybersecurity training for its employees and all new hires are required to take cybersecurity training when they receive their Company computer. Failure to complete the training in a timely fashion results in their system access being suspended until completion. Management also regularly conducts "phishing" exercises to test the effectiveness of our training programs. The results of these exercises are reported to the Audit Committee. Employees also receive monthly newsletters highlighting cybersecurity developments as well as targeted email messages, as appropriate.
Insurance
The Company maintains cybersecurity insurance coverage in an amount that management believes to be appropriate for the Company's risk profile.
Governance
Audit Committee Oversight
Our Audit Committee oversees the Company's cybersecurity risks. Ms. Dvorak has a certificate in Cybersecurity Oversight from the National Association of Corporate Directors and Mr. Burton is a technology expert with experience in online fraud and cybersecurity. Both Ms. Dvorak and Mr. Burton are members of our Audit Committee.
Our Senior Vice President and Chief Information Officer and our Vice President, Global Cybersecurity, update the Audit Committee regularly regarding the status of ongoing cybersecurity initiatives and strategies and incident reports. Annually, they also present information regarding management's annual cybersecurity risk and maturity assessments, including changes to our cybersecurity roadmap as a result of these assessments. This annual briefing is also posted to the full Board, which also receives quarterly updates through the Audit Committee. The Audit Committee is notified and briefed regularly in the event of a cybersecurity incident, regardless of the ultimate severity of the situation. The Board and executive management participate in cybersecurity training and conduct tabletop exercises on a periodic basis.
Management Oversight
At a management level, our cybersecurity program is led by our Vice President, Global Cybersecurity who oversees a team with extensive knowledge and expertise. He is a Certified Information Security Professional and has over 20 years of cybersecurity experience and reports to our Chief Information Officer, who reports to our Chief Executive Officer. Our Vice President, Global Cybersecurity also chairs our Cybersecurity Management Committee which consists of senior business and functional leaders, including our Chief Information Officer and General Counsel. The Cybersecurity Management Committee is intended to provide cross-functional support for cybersecurity risk management and facilitate the response to any cybersecurity incidents.
20
Cyber Risks, Threats and Incidents
As a global company servicing customers in over 100 countries, we experience a variety of cybersecurity events and incidents. However, as of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity incident that has materially affected or is reasonably likely to materially affect our business, strategy, results of operations or financial condition; though there can be no assurance that a cybersecurity incident that could have a material impact on us will not occur in the future. For further details regarding the cybersecurity risks and uncertainties we face see Item 1A. "Risk Factors-Technology and Cybersecurity Risks" of this report.
21