NEWELL BRANDS INC. - (NWL)
10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard its information systems and to protect the confidentiality, integrity, and availability of its data. Cybersecurity risks are monitored, updated on a regular basis, and integrated as part of the Company’s broader enterprise risk management process. The reporting and analysis of cybersecurity risks have also been incorporated within the Company’s disclosure controls and procedures and internal disclosure committee process. The Company conducts multiple forms of cybersecurity awareness and training for employees including general cybersecurity awareness articles, role-based training, online cybersecurity awareness tools, and frequent monthly awareness presentations.
The Company uses a combination of internal and external resources to assess, identify, and manage material risks from cybersecurity threats. Internally, the Company leverages its global information security organization, the Information Technology function, privacy and compliance departments, operating segments, functional areas, and its internal audit function. Given the complexity and evolving nature of cybersecurity threats, the Company also utilizes the following external resources:
•two industry research and technology firms for benchmarking and industry research;
•several cybersecurity operations partners for risk detection and threat information sharing;
•cybersecurity penetration testing companies to provide regular technical assessments of our systems;
•an information sharing and analysis service specific to the consumer goods industry; and
•the assistance of its outside cybersecurity counsel.
The Company oversees its third-party service providers’ security posture by using an internally managed vendor security assessment process prior to vendor onboarding, with ongoing monitoring for any emerging risks. The Company supplements its internal processes with third-party security partners that provide risk measurements for third parties.
While the Company has not encountered cybersecurity risks that have materially affected or are reasonably likely to materially affect its strategy, results of operations or financial condition, there can be no guarantee that the Company will not be materially affected by such cybersecurity risks or a cybersecurity incident in the future. For a discussion of cybersecurity risks and incidents that may impact the Company, refer to preceding section Item 1A. Risk Factors.
Governance
The Company’s Board of Directors provides oversight of risks from cybersecurity threats through its Audit Committee. The Company’s Chief Information Security Officer provides regular quarterly updates on material cybersecurity risks, performance and material risk related metrics, and material risk mitigation strategies. These reviews help to inform the Audit Committee, identify areas for improvement and help align the Company’s cybersecurity risk management efforts with overall enterprise risk management. The Audit Committee incorporates this information into its regular reporting to the Board of Directors.
The Company’s management plays a critical role in assessing and managing cybersecurity risks. The Newell Brands Information Security program is led by the Company’s Chief Information Security Officer, a Certified Information Systems Security Professional (CISSP) with over 20 years of experience in cybersecurity gained at four global Fortune 500 companies, and the Company’s Chief Information Officer who has overseen the Company’s security function for the past 11 years. The Newell Brands Information Security program is governed by the Information Security Governance Committee (the “ISG Committee”), comprised of the Chief Information Security Officer (its Chair), Chief Financial Officer, Chief Legal and Administrative Officer, Chief Human Resources Officer, Chief Information Officer, and Vice President of Internal Audit. The ISG Committee meets quarterly to discuss material risks, material risk related metrics, and material risk mitigating strategies and conducts tabletop exercises.
In addition to the ISG Committee, Company management is informed about and monitors material cybersecurity risks and incidents through the following formal processes:
•Newell Brands Incident Response Policy and Procedures and related response and governance protocols for high severity incidents;
•Periodic Information Security program presentations to leadership; and
•Chief Information Security Officer material incident notifications to Company management, including the President and Chief Executive Officer.
The outputs from the management processes above are synthesized into the above-mentioned reporting to the Audit Committee of the Board of Directors.
20