MOSAIC CO - (MOS)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
As a global company, we utilize and rely upon information technology systems in many aspects of our business, including internal and external communications and the management of our accounting, financial, production and supply chain functions. As we become more dependent on information technologies to conduct our operations, and as the number and sophistication of cyberattacks increase, the risks associated with cybersecurity increase. Failure to effectively anticipate, prevent, detect, and recover from the increasing number and sophistication of cyberattacks could have a material adverse
34
effect on our results of operations or financial condition. To our knowledge, we have not experienced any material cybersecurity incidents of our technology systems.
Mosaic’s cybersecurity program is comprised of people, processes, and technology that are designed to adequately protect the confidentiality, integrity, and availability of information technology systems and data. Mosaic has strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk awareness. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. We have a Governance Risk and Compliance team which is a dedicated team within the cybersecurity department that focuses on identifying and mitigating cybersecurity and compliance risk. The team works closely with the Information Technology department to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. Our Enterprise Risk Management committee, which is comprised of members from our executive leadership team, reviews and evaluates key risks identified through cybersecurity risk management processes. Mosaic develops and continues to refine mitigation plans that adhere to industry best practices.
Regularly, Mosaic engages external vendors to provide independent insight to overall cybersecurity program effectiveness and to assist with evaluating response preparedness. As part of our third-party risk oversight, we regularly review the vendor's ratings and conduct assessments and interviews with their personnel. The results are then reported to leaders in the Information Technology department.
Governance
Board of Director Oversight
The Board of Directors oversees Mosaic’s Enterprise Risk Management program, and the Audit Committee is tasked with oversight of risk from cybersecurity threats. The Board receives an annual cybersecurity update while the Audit Committee receives reports from the Chief Information Security Officer (“CISO”) and Chief Information Officer ("CIO") regularly. The reports to the Audit Committee include updates on key performance indicators and key risk indicators, including short-term, intermediate-term and emerging risks. The Audit Committee then briefs the Board on these matters. Ad hoc updates occur as needed.
Management’s Role in Managing Risk
The Information Technology organization is led by the CIO who is responsible for cybersecurity and risk management, with oversight by the Audit Committee. The cybersecurity program is overseen by the Mosaic’s CISO and supporting cybersecurity leadership, who lead teams to protect and preserve the confidentiality, integrity and continued availability of all information owned by, or in the care of, Mosaic.The CISO, along with the leadership team, possess many years of relevant Information Technology, cybersecurity, and risk management experience in the manufacturing, electric, defense, financial, and retail sectors. Educational backgrounds include advanced degrees and certifications, such as Certified Information Systems Security Professional. During the course of leadership team’s careers, they have built and sustained programs protecting other Fortune 500 companies, critical national infrastructure, and military defense systems.
The CIO and CISO regularly update the Board and/or the Audit Committee on cybersecurity matters and the effectiveness of the cybersecurity program. The Board and Audit Committee also engage directly with senior leaders from the Information Technology department.
35