Keurig Dr Pepper Inc. - (KDP)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
We use information technology and third-party service providers to support our global business processes and activities, which exposes us to cybersecurity risks. KDP’s risk management strategy includes ongoing cybersecurity risk assessment and reporting, incident management, and a diligence and risk management process for third-party service providers. Employees with network access participate in ongoing phishing, social engineering, and cybersecurity awareness training efforts, and we also conduct periodic tabletop exercises led by external consultants.
Our cybersecurity risk assessment and reporting process leverages the National Institute of Standards and Technology’s Cybersecurity Framework and is managed by our CISO, whose team comprises both internal personnel and third-party cybersecurity consultants. The CISO provides periodic reports to management, including our CEO, as well as other executive leadership members, and to the Audit and Finance Committee of our Board, which has oversight for cybersecurity risk management. These reports include updates on critical cybersecurity risks and the threat landscape; updates on the status of ongoing cybersecurity improvement initiatives, the internal control environment, and ongoing internal audit activities; and, if relevant, the status of actions taken with respect to certain cybersecurity incidents identified during the period.
We have an overall incident management plan, which is intended to provide guidance and protocols to facilitate timely notification and communication to key internal and external stakeholders during an incident. A subset of this incident management plan is our Security Incident Response Plan, or SIRP, which is based on leading cybersecurity incident response practices. Incidents may be escalated to the CISO, our Chief Information Officer, our Chief Legal Officer, or other members of management or the Board, depending on the severity of the incident, and are handled according to the SIRP protocols, which includes incident detection and analysis; containment, eradication and recovery; and post-incident monitoring. We have developed a framework for assessing the materiality of any such incidents, including a committee responsible for determining whether the incident is material for disclosure. The committee includes our CISO, our Chief Information Officer, our Chief Legal Officer, our Senior Vice President and Controller (Principal Accounting Officer), our head of Internal Audit, and other members of management with relevant subject matter expertise.
Our CISO has more than 25 years of experience in cybersecurity and information technology, including, prior to joining KDP in 2019, more than 11 years as a principal in Ernst & Young’s cybersecurity practice. Our CISO reports directly to our Chief Information Officer, who also has over 36 years of experience in information technology and cybersecurity.
To date, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, which have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. For additional description of cybersecurity risks and potential related impacts on us, refer to the risk factors captioned “Our use of information technology and third-party service providers exposes us to cybersecurity breaches and other business disruptions that could adversely affect us” and “The use of information technology by our third party commercial partners and service providers exposes us to business disruptions or other negative impacts that could adversely affect us” in Item 1A, Risk Factors, in this Annual Report on Form 10-K.
24