MGP INGREDIENTS INC - (MGPI)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We have a multi-pronged approach to assess, identify, and manage material risks from cybersecurity threats. This approach includes system testing and patching, continuous monitoring, end-user training and awareness, multi-layered security, redundancy mechanisms, encryption, and internal audits and assessments. Assessment of cybersecurity risk is part of our overall enterprise risk management (“ERM”) process, which is reviewed by the Audit Committee of our Board of Directors, along with our strategies for managing our cybersecurity risks.
We maintain technical and organizational safeguards, including employee training, incident response capability reviews and exercises, cybersecurity insurance, and business continuity mechanisms for the protection of our assets. If faced with a cybersecurity incident, our IT team is trained to focus on responding to and containing the threat and minimizing any business impact, as appropriate. In the event of an incident, our IT team assesses, among other factors, safety impact, supply chain and
17
manufacturing disruption, data and personal information loss, business operations disruption, projected cost, and potential for reputational harm.
From time to time, our processes are audited and validated by internal and external experts. We leverage third-party cybersecurity experts with the goal of minimizing disruption to our business and production operations, strengthening supply chain resilience in response to cyber-related events, and supporting the integrity of IT systems. We also engage reputable third-party consultants to help evaluate and test our vulnerability to cybersecurity threats as well as to conduct annual penetration tests to help identify exploitable cybersecurity vulnerabilities. Our IT team assesses these testing results and implements any appropriate measures to mitigate vulnerabilities identified.
We have not experienced any material impacts from any cybersecurity threats or incidents in the last three fiscal years. We use each cybersecurity threat or incident as an opportunity to review our protocols and implement enhancements as applicable. For more information about our risks from cybersecurity threats, see Item 1A—Risk Factors—A failure of one or more of our key information technology (“IT”) systems, networks, processes, associated sites, or service providers could have a negative impact on our business.
Governance
Our Board of Directors is responsible for overseeing risk assessments and risk management, including cybersecurity risks, and is assisted in these efforts by the Audit Committee of the Board. Our IT team is responsible for assessing and managing our risks from cybersecurity threats. Our IT team is led by our Vice President of Information Technology and Security, who reports directly to our Chief Financial Officer. During 2023, our Chief Information Officer (who has been serving as our Chief Commercial Officer since January 2024) provided updates on cybersecurity threats and risks to our Board of Directors and to the Audit Committee of our Board of Directors. In addition, the Audit Committee reviewed cybersecurity risks and mitigation strategies in 2023, as part of their oversight of our enterprise risk management process.
Our Vice President of Information Technology and Security has over 25 years of experience in IT and has held a variety of IT roles across multiple business lines within the financial services, aviation, and hospitality industries. He received both his bachelor’s and master’s degrees in information management and holds Certified Information Systems Security Professional (“CISSP”) certification.
Our Vice President of Information Technology and Security monitors our processes for preventing, detecting, mitigating, and remediating cybersecurity incidents through his management of, and participation in, the cybersecurity risk management and strategy processes described above, including through the operation of our incident response plans, which include escalation to our Chief Executive Officer and Chief Financial Officer, as appropriate.
18