FLOWERS FOODS INC - (FLO)
10-K Filing Date: February 21, 2024
Protecting the security of our information systems is of significant importance to Flowers. We follow certain policies, protocols, and practices that address cybersecurity.
Risk Management and Strategy. We have processes in place for assessing, identifying and managing material risks from cybersecurity threats. These processes have been integrated into our enterprise risk management system. These processes also cover third-party service provider incidents that may impact the company.
Our cybersecurity program includes employee training and a computer security incident response plan (the “CSIRP”) that provides controls and procedures designed to timely and accurately report material cybersecurity incidents. Employees receive regular security training, and we conduct periodic phishing testing to assess whether our employees require additional training. Additionally, we provide our employees with easy-to-use tools to report potential phishing emails. The CSIRP establishes an organizational framework and guidelines to assist the Company in identifying, responding to, and recovering from computer security incidents both at the company and its third-party service providers in connection with incidents that may impact the company, including the security incident management team (the “SIM Team”), a legal team (the “Legal Team”) and the computer security incident response team (the “CSIRT”). Each of the SIM Team, the Legal Team, and the CSIRT, often in consultation with the VP of Information Security, has a discrete set of responsibilities and obligations under the CSIRP. The CSIRT is a broad, cross-functional team of management stakeholders assigned with coordinating, developing, and managing the Company’s response to computer security incidents when activated.
Once the CSIRT has been activated, incidents are reported to a subcommittee of the Company’s disclosure committee, which consists of certain senior executives and leaders throughout the company and is charged with making disclosure determinations.
The CSIRP provides that, when activated, the CSIRT will lead all aspects of incident response, including the engagement of outside counsel and other third-party resources, such as an external incident response team, forensic resources, a crisis management or public relations firm, or notification service providers. For incidents where the CSIRP is not activated, either the SIM Team or the Legal Team, depending on the circumstances, is expected to lead and manage the incident response.
We maintain insurance covering certain costs that may be incurred in connection with cybersecurity incidents, should they occur. The company engages consultants, auditors, and other third parties to identify and manage risk from third parties.
21
No risks from previous cybersecurity threats have materially affected or are reasonably likely to materially affect Flowers’ business strategy, results of operations, or financial condition. However, we may incur significant costs in protecting or remediating cyber-attacks or other cyber incidents. If we are unable to prevent physical and electronic break-ins, cyber-attacks and other information security breaches, we may suffer financial and reputational damage, be subject to litigation or incur remediation costs or penalties because of the unauthorized disclosure of confidential information belonging to us or to our partners, customers, suppliers or employees.
Governance. The company’s board of directors oversees the company’s Information Security program, which is approved annually. The audit committee is tasked with oversight of certain risk issues, including cybersecurity. As described in its charter, the audit committee of the Board of Directors oversees risks related to information technology security and regularly reviews and discusses with management the company’s information technology security risk exposures, including (a) the potential impact of those exposures on the company’s business, financial results, operations and reputation, (b) the steps that management has taken to monitor and mitigate such exposures, (c) the company’s information governance policies and programs, and (d) legislative and regulatory developments that could materially impact the company’s privacy and data risk exposure.
At the management-level, the company’s IT systems are overseen by our chief information officer, who has responsibility for information technology strategy and operations. The company's Information Security program is led by the company’s VP of Information Security, who has responsibility for information security strategy and operation. This individual has a variety of IT security skills, experiences and professional expertise, obtained through work experience and information security certifications and education.
Management tracks cybersecurity incidents through the process described above. Management regularly reports to the audit committee regarding policies and processes for assessing and managing risk associated with information technology and cybersecurity, as well as material cybersecurity incidents.