Ingredion Inc - (INGR)
10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY
We face numerous cybersecurity risks that include cyber-based attacks and other security threats to our systems. We also could be adversely affected by cybersecurity incidents affecting our suppliers and other third-party service providers. To meet these threats, we expend considerable resources on cybersecurity risk management, strategy and governance.
The Board of Directors, directly and through its Audit Committee, oversees our cybersecurity risk management. The Board of Directors reviews material cybersecurity risks we face, approves strategic priorities, and monitors progress made towards those priorities. The Audit Committee is responsible under its charter for reviewing with our management our policies and procedures with respect to cybersecurity risks and the processes management has implemented to monitor and mitigate those risk exposures. On a regular basis, the Audit Committee considers management’s reports on significant changes to our cybersecurity policies and standards, as well as risk mitigation and remediation efforts being undertaken with respect to cybersecurity incidents and under the program generally. The Audit Committee regularly reports to the Board of Directors on its activities with respect to cybersecurity matters.
In general, our incident and crisis management plans are aligned with the National Institute of Standards and Technology (NIST) framework for cybersecurity. These plans are intended to provide a framework and processes that allow us to take a consistent approach to cybersecurity before, during and after a cybersecurity incident. Our plans are reviewed and updated periodically. In addition, we conduct cybersecurity tabletop exercises to simulate an actual incident and increase our team’s awareness and preparedness. Based upon these activities, we maintain a risk register to track identified vulnerabilities and associated mitigation plans. We also regularly conduct security awareness training and phishing exercises for our employees around the world to help them identify and report suspicious activity.
We have implemented a number of cybersecurity risk management processes to assess, identify and manage material risks from cybersecurity threats. We conduct real-time monitoring of our environment for suspicious cyber activity using a variety of security tools and centralized logging systems. In addition, we leverage threat intelligence monitoring to stay updated on emerging cyber threats and vulnerabilities and, utilizing this information, conduct regular vulnerability assessments. Furthermore, we conduct regular penetration tests to simulate real-world attacks and identify weaknesses.
To supplement our internal resources, we engage external consultants to conduct independent assessments, perform penetration testing, and provide other cybersecurity-related services as needed. We also utilize external consultants and legal counsel to facilitate cybersecurity tabletop simulations. In addition, we engage external vendors to review and test key controls within our cybersecurity program.
We regularly assess cybersecurity risks associated with our use of suppliers and other third-party service providers. In this process, we classify by level of risk our principal suppliers and other key service providers and evaluate their data security controls and changes in potential cybersecurity risk levels. In addition, our contracts with these service providers require them to promptly report security incidents to us and to provide us with access to relevant information and resources to allow us to conduct related investigations.
Our cybersecurity risk management processes are integrated as part of our overall enterprise risk management (ERM) processes. Our Audit Committee conducts its oversight of our cybersecurity risk management as part of its oversight of our
22
enterprise risk management policies and procedures. In addition, we conduct an annual survey of over 150 Ingredion business leaders across multiple functions and geographic locations that asks them to evaluate the potential severity and likelihood of cybersecurity matters, among other enterprise and information technology risks. We solicit their views on information and data security protection against cyber and internal threats, reliability of systems including disaster recovery related to malware or other cyber threats, and system implementation failures, and use the responses to modify our risk mitigation strategies accordingly.
Subject to oversight by our Board of Directors and Audit Committee, as described above, our Chief Digital and Information Officer is responsible for developing and guiding our global information technology and digital strategy, which includes overseeing cybersecurity risk management. The Chief Digital and Information Officer provides guidance on cybersecurity strategy initiatives and risk mitigation activities to the Senior Director, Global Information Security and the associated function. Our Chief Digital and Information Officer and our Senior Director, Global Information Security provide regular reports on security incident activity, including containment and remediation measures as relevant, and other cybersecurity risk management matters to the Board of Directors and the Audit Committee.
Our Chief Digital and Information Officer has over 30 years of experience at multinational companies, including six years of service at our company in his current position as a digital leader and executive, including experience managing and responding to cybersecurity risks. He holds a bachelor’s degree in computer science. Our Senior Director, Global Information Security has over two decades of service at multinational companies and a federal government agency, including over one year of service at our company in his current position dedicated to information technology and cybersecurity, and possesses significant experience in protecting critical data and building cybersecurity-resilient organizations. He holds a bachelor’s degree in telecommunications management and a master’s degree in cybersecurity, as well as a current Certified Information Systems Security Professional (CISSP) certification.
To date, the risks from cybersecurity threats have not materially affected us. Notwithstanding our investment in cybersecurity, however, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on our business, results of operations, or financial condition.
For a discussion of cybersecurity risks affecting our business, see Item 1A - Risk Factors - Risks Related to Our Information Technology Systems.
23