Coca-Cola Consolidated, Inc. - (COKE)
10-K Filing Date: February 21, 2024
Item 1C.Cybersecurity.
Risk Management and Strategy
The Company is committed to maintaining robust processes to assess, identify and mitigate material risks from cybersecurity threats and to protect against, detect and respond to cybersecurity incidents. We integrate these processes into the Company’s overall risk management program and, through the Company’s Cybersecurity Incident Response Plan, we document the intended processes and the roles and responsibilities of teammates involved in assessing, identifying and managing material risks from cybersecurity threats. Periodically, the Company engages third parties to assist in the assessment and ongoing development of cybersecurity processes.
Our cybersecurity processes are grounded in the National Institute of Standards and Technology Cybersecurity Framework and include a number of different preventative measures. The Company performs periodic risk assessments of systems and applications to identify risks, vulnerabilities and threats in systems and software, performs an annual assessment of the effectiveness of the current
16
cybersecurity response process by conducting incident response tabletop exercises that involve participation by members of the management team, and requires all teammates to participate in user awareness training for information technology and cybersecurity.
Our systems are reasonably designed to enable the information technology infrastructure group to capture application, system and network alerts. In the event of a cybersecurity incident, the Cyber Incident Response Team (the “CIRT”), led by a designated Cyber Incident Coordinator (the “CIC”), is responsible for collecting and analyzing relevant data about the incident and its risks. Members of the CIRT, including the CIC, are selected based on their knowledge of either cybersecurity or the specific information systems or business function affected by the incident.
As part of planning for any suspected cybersecurity incident, the CIRT has developed certain incident response strategies to help collect and preserve forensic data, to mitigate the threat and to perform other activities to restore systems to normal operation. These strategies include many of the practices recommended by the U.S. Department of Homeland Security’s Industrial Control Systems Computer Emergency Response Team. In addressing and resolving a significant cybersecurity incident, the Company may engage external experts in relevant fields, such as legal or forensic services, as needed. The Company also has a process whereby the Chief Information Officer (the “CIO”) periodically meets with and assesses third-party service providers in order to help ensure the Company is made aware of any potential material cybersecurity threats or incidents in a timely manner. The Company’s largest external service provider is CONA, as further discussed in “Item 1A. Risk Factors” of this report.
During 2023, there were no identified cybersecurity risks or threats, including as a result of previous cybersecurity incidents, that had, or were reasonably likely to have, a material effect on our business strategy, results of operations or financial condition. While we maintain cybersecurity insurance, the costs related to cybersecurity incidents or disruptions may not be fully insured. See “Item 1A. Risk Factors” for a discussion of cybersecurity risks.
Governance
The Information Security Director, who reports to the CIO, is responsible for establishing basic policies and procedures related to cybersecurity. The Information Security Director is also responsible for selecting the CIRT and the CIC to lead the response to each incident. Established policies and procedures are employed by the CIRT in planning and executing a response to a cybersecurity incident. The CIO and the Information Security Director have over 55 combined years of information technology and program management experience and have served over 31 combined years in the Company’s corporate information security organization. They are familiar with the Company’s cybersecurity landscape, risks and best practices for mitigation of those risks identified.
The Company has developed a matrix to assist in determining if a cybersecurity incident is significant. The Information Security Director, with the help of the CIRT, determines whether an incident should be escalated to executive management, including to the Chief Executive Officer, the Chief Financial Officer and the General Counsel, based on its significance. Once escalated, executive management determines the appropriate incident handling strategy, with input from the Information Security Director, including whether the incident warrants immediate notification to the Audit Committee of the Board of Directors. After determining the incident handling approach, the CIC regularly updates executive management on incident response progress to ensure it is aware of the business risks posed by the incident until the incident is resolved.
The Board of Directors delegates oversight of information technology and cybersecurity to the Audit Committee of the Board of Directors. As part of this oversight, information technology leadership annually provides a detailed cybersecurity update to the Audit Committee. Additionally, on a quarterly basis, the Audit Committee receives a summarized cybersecurity update, including the results of teammate phishing testing programs and the results of the quarterly cybersecurity disclosure questionnaires. In the event of a material cybersecurity incident, the Audit Committee will report such incident to the full Board of Directors.
17