KROGER CO - (KR)

10-K Filing Date: April 02, 2024
ITEM 1C.

CYBERSECURITY.

RISK MANAGEMENT AND STRATEGY

Securing Kroger’s business information, intellectual property, customer and employee data and technology systems is essential for the continuity of our businesses, meeting applicable regulatory requirements and maintaining the trust of our stakeholders. We have adopted enterprise cybersecurity risk mitigation and governance processes, which are set forth in the Kroger Cybersecurity Risk Management program (“CRM”), the Kroger Third-Party Cybersecurity Risk Management program (“TPCRM”), and the Kroger Cyber Incident Response Plan (“IR Plan”). Our approach is guided by the principles of the CRM, which includes monitoring threats and vulnerabilities and assessing and monitoring related controls, supporting the Corporate Information Security function, the Chief Information Security Officer (“CISO”) and Chief Information Officer (“CIO”). Kroger’s cybersecurity policies, standards, processes, and practices are integrated into our overarching risk management system in an effort to enhance our ability to safeguard our operations and information, which includes quarterly cybersecurity reporting to the Board, delivered by senior leadership.

Kroger Cyber Risk Management Program

The CRM was developed in collaboration with third-party consultants and is aligned with the National Institute of Standards and Technology (“NIST”), Risk Management Framework (“RMF”), Cybersecurity Framework (“CSF”) and the International Organization for Standardization 27001 (“ISO 27001”). The program includes security and privacy, risk-based controls, and incorporates lessons learned from cybersecurity incidents. Under Kroger’s CRM, cyber risks, including cyber threats and cyber events/incidents, are assessed, treated, and monitored on a continuous basis. We integrate lessons learned from incident response and cyber risk mitigation into our cyber risk management strategy, in an effort to improve overall cybersecurity on an ongoing basis. Kroger's CRM program is spearheaded by specific management positions, chosen for their expertise in the field as further discussed below.

In line with cyber risk management best practices, we have collaborated with recognized third-party experts as needed to align the CRM’s foundational processes, metrics, monitoring, and reporting with common frameworks such as NIST and RMF.

Third-Party Cyber Risk Management

Recognizing the potential vulnerabilities posed by third-party relationships, Kroger has implemented a comprehensive TPCRM program. The TPCRM program is designed to assess third-party cybersecurity risks by employing third-party risk assessments, vendor tiering, and a dedicated team tasked with recommending holistic improvements to strengthen Kroger’s cybersecurity posture, sourcing, and contracting processes. Kroger’s Information Security Operations Center (“iSOC”) responds to known third-party incidents on a continuous basis. The iSOC is a part of the Corporate Information Security (“CIS”) department and is responsible for detecting, responding to, and escalating security incidents. We partner directly with business stakeholders and technology custodians to determine an appropriate response to manage incident risk to minimize the effect to the business. This response process is a regular and critical function of the iSOC and is defined in a separate appendix to the IR Plan. Any material risk identified from these incidents is escalated and communicated using formal severity and impact criteria as defined in the IR Plan.

Kroger Cyber Incident Response Plan

The IR Plan documents the processes by which information security events are detected, identified, prioritized, and analyzed. The Kroger iSOC, CISO, legal counsel, and corporate affairs stakeholders are then engaged depending on the incident’s scope, business effect, and potential material risk. This cross-functional team is responsible for assessing an appropriate response and mitigation pathway. Once security events are identified through the enterprise detection and monitoring ecosystem, the IR Plan sets forth an incident prioritization/decision workflow to determine scope, business effect, and potential material risk. This workflow is implemented through collaboration with the iSOC, CISO, legal counsel, and corporate affairs stakeholders.

20

In addition to the processes outlined above, we have also implemented an information security training program for employees that includes security awareness training related to cyber security risks, simulated phishing emails and regular communication to the enterprise regarding cyber security risks.

We experience cybersecurity threats and incidents from time to time. We are not aware of any material risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, our financial condition, results of operations or cash flows. There can be no assurance that cybersecurity threats will not have a material effect on us, including our business strategy, our financial condition, results of operations or cash flows. Please see “Item 1A. Risk Factors” for more information on our cybersecurity-related risks.

GOVERNANCE

Protection of our customers’ data is a fundamental priority for our Board and management team. Our risk management team is integrated into our CIS function and is led by our CIO and CISO. The risk management team reports to the CISO and has combined experience in information security, governance, and compliance, including domains such as engineering, architecture, cybersecurity, and privacy. This team is responsible for defining the program, cybersecurity governance, and gathering insights related to assessing, identifying, and managing cybersecurity threat risks, their severity, and mitigations.

Kroger’s CIO reports to the CEO and leads technology and digital capabilities for the Kroger Co., including the overall cybersecurity strategy. Kroger’s CIO & Chief Digital Officer, has over 20 years of both leading and transforming technology, digital growth, and e-commerce in the retail and food industry. Kroger’s interim CISO brings nearly 20 years of experience developing and leading security and risk programs. His experience includes governance, information security, and threat management.

The Audit Committee of Kroger’s Board of Directors is charged with oversight of data privacy and cybersecurity risks. Kroger’s CIO and CISO provide quarterly updates on cybersecurity risks and related mitigating actions to the Audit Committee, meet with the full Board at least annually and inform the Audit Committee immediately if a cybersecurity incident is deemed material. They report to the Audit Committee and the Board on compliance and regulatory issues, provide updates concerning continuously-evolving threats and mitigating actions, and present a NIST Cybersecurity Framework Scorecard. Additionally, the CIO and CISO discuss and present strategies to address geopolitical threats that may affect operations as well as technological changes, such as AI and quantum computing. In overseeing cybersecurity risks, the Audit Committee focuses on aggregated, thematic issues with a risk-based approach. Oversight of cybersecurity risk incorporates strategy metrics, third-party assessments, and internal audit and controls. An independent third party also regularly reports to the Audit Committee and the full Board on cybersecurity, and outside counsel advises the Board on best practices for cybersecurity oversight by the Board, and the evolution of that oversight over time. Management also reports on strategic key risk indicators, ongoing initiatives, and significant incidents and their effect.

© 2024 Material-Incidents. All rights reserved.