Avery Dennison Corp - (AVY)
10-K Filing Date: February 21, 2024
Item 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
Our cybersecurity risk management ("CSRM") program, which is designed to protect the confidentiality, integrity and availability of our critical systems and information, includes a comprehensive cybersecurity incident response plan.
We design and assess our program based on the ISO 27000 and the National Institute of Standards and Technology (NIST) SP-800 and Cybersecurity Framework ("CSF"). We use these frameworks to help us identify, assess and manage cybersecurity risks relevant to our business. It is not intended to suggest that we meet any particular technical standards, specifications or requirements.
Our CSRM program complements our overall enterprise risk management program, using similar methodologies and governance processes to identify risks and mitigating strategies.
Our CSRM program includes risk assessments designed to help identify potentially material cybersecurity risks to our critical systems, information, products and services, as well as our broader enterprise IT environment; an IT security team principally responsible for managing our cybersecurity risk assessment processes, security controls and response to any cybersecurity events; the use of third party experts and service providers, where appropriate, to assess, test and otherwise assist with protecting our security environment; cybersecurity awareness training for our employees and further training for our incident response personnel and senior management; a cybersecurity incident response plan that includes procedures for assessing and coordinating our response to cybersecurity events; and a third-party risk management process for service providers, suppliers and vendors.
We have not experienced cybersecurity events that have materially affected our operations, results of operations, or financial condition. However, we face certain ongoing risks from cybersecurity threats that, if realized, would be reasonably likely to materially affect us, including our operations, results of operations, or financial condition.
Risks and uncertainties related to cybersecurity are discussed in greater detail under “Risks Related to Information Technology” in Item 1A of this report.
Cybersecurity Governance
Our Board of Directors (our “Board”) considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee primary responsibility for overseeing our CSRM program and engaging with management on cybersecurity and other risks related to our IT controls and security at least twice per year. Management updates the Audit Committee, if and as needed, regarding any significant cybersecurity events, as well as events that may have had lesser potential impact.
In addition to reports from its Chair on the Audit Committee's discussions on cybersecurity, our Board members receive periodic presentations on cybersecurity topics from our Chief Information Officer and our Information Security Officer ("ISO") as part of their continuing education on risks impacting public companies.
Our cybersecurity leadership team ("CSLT"), which includes leaders accountable for security operations, incident response, risk and compliance, data security, application security, digital solutions security, vulnerability management and operational technology security, is responsible for assessing and managing our risks from cybersecurity threats. The team has primary responsibility for our overall CSRM program and supervises both our internal cybersecurity personnel and our external cybersecurity consultants. Information security personnel maintain a variety of technical and managerial security certifications and have broad security experience in manufacturing, finance, software and IT environments.
The CSLT supervises our efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through a variety of means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants; and reports from cybersecurity systems deployed in our IT environment.
18