KELLANOVA - (K)

10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy. Kellanova has established a cybersecurity program (the “program”) that is designed based on reviewing industry common practices and recognized frameworks (i.e., NIST and ISO, among others). The Company works to evolve its program to address material risks from cybersecurity threats. The program is developed from a top-down strategic risk management approach.

The program includes processes that identify how security measures and controls are developed, implemented, and maintained, as well as cybersecurity and information security training and awareness. The program includes a risk management process designed to identify internal and external cybersecurity threats and vulnerabilities to the Company’s business and operations, assess the likelihood and potential impact of the threats and vulnerabilities to the Company, and assess and prioritize the risks from cybersecurity threats and vulnerabilities to inform action plans and strategies to mitigate and manage these risks. The program’s risk assessment process, based on a method and guidance from a recognized national standards organization, is conducted annually. The risk assessment along with risk-based analysis and judgment are used to select security controls to address risks. During this process, the following factors, among others, are considered: recognized frameworks, likelihood and severity of risk, impact on the Company and others if a risk materializes, feasibility and cost of controls, and impact of controls on operations and others.

Third-party security firms are used in different capacities to provide or operate some of these controls and technology systems, including cloud-based services and platforms. For example, third parties are used to conduct assessments, such as vulnerability scans and penetration testing. The Company uses a variety of processes to address cybersecurity threats related to the use of third-party technology and services, including pre-acquisition diligence, imposition of contractual obligations, and performance monitoring.

The Company, as a part of its program has a documented cybersecurity incident response plan and conducts tabletop exercises to enhance incident response preparedness. Business continuity and disaster recovery plans are used to prepare for the potential for a disruption in technology we rely on. The Company is a member of cybersecurity intelligence and risk sharing organizations. Employees undergo security awareness training.

The Company has an Enterprise Risk Management (“ERM”) program to address enterprise risks, and cybersecurity is a risk category evaluated and identified by that function. One of the leaders of the ERM process is Kellanova’s Vice President, Internal Audit, and the process includes individuals with designated areas of focus and subject matter experts across Kellanova, including cybersecurity leaders. As the enterprise risk owner for cybersecurity,
26







the Chief Digital and Information Officer supports the Chief Information Security Officer (“CISO”) and the information security team, which includes a Governance, Risk, and Compliance (GRC) function, to manage cybersecurity risk. The information security team collaborates on privacy and security governance.

Our computer systems have been and will likely continue to be subjected to cybersecurity threats. To date, we have not experienced a cyber security threat that has materially affected the Company, including its business strategy, results of operations, or financial conditions.

Additionally, in Item 1A Risk Factors under the headings of “Risks Related to Our Intellectual Property and Technology”, and “Technology failures, cyber incidents, privacy breaches or data breaches could disrupt our operations or reputation and negatively impact our business”, forward-looking cybersecurity threats that could have a material impact on the Company are discussed. Those sections of Item 1A should be read in conjunction with this Item 1C.

Governance. The Kellanova Board of Directors has risk oversight responsibility for Kellanova, which it administers directly and with assistance from its committees. Oversight of the information security program sits with the Audit Committee. The Audit Committee has oversight responsibilities with respect to ERM, including cybersecurity, information security and data protection risk exposures, and the steps management has taken to monitor and control these exposures. In addition to periodically providing the Executive Management Team with information and cybersecurity briefings, the Chief Digital and Information Officer (“CDIO”) and Chief Information Security Officer (“CISO”) provide at least biannual updates to the Audit Committee regarding cybersecurity, including on strategy and the Company's cybersecurity program. For cybersecurity incidents, the Company’s cybersecurity incident response plan includes a process for incidents to be evaluated for material impact. The escalation protocol includes reporting of security incidents to members of the Kellanova Executive Management Team and reporting of any cyber incidents that could have a material impact on the Company to the Audit Committee.

As mentioned above, the CISO is the management position with primary responsibility for the development, operation, and maintenance of our information security program. The Company’s CISO has work experience in various roles in risk management, including developing information and cybersecurity strategy/programs, information security audit and assessments, cybersecurity operations focused on identification, mitigation and response to cybersecurity threats. The CISO has experience leading enterprise global efforts to align systems to industry-accepted standards and practices, as well as regulatory compliance requirements. The CISO has degrees in the areas of management of information systems and cybersecurity, and also maintains several information security and technology certifications, including as a Certified Information System Security Professional (“CISSP”) and Boardroom Certified Qualified Technology Expert (“QTE”).

The CISO reports directly to the CDIO, who is a member of the Kellanova Executive Management Team. The Company’s CDIO has technology experience overseeing and executing technology strategies in complex, global, and matrixed environments. The CDIO has been in role since February 2019, bringing experience from overseeing and executing technology as European CIO at the Company, and over 20 years of experience leading IT strategy and change initiatives in the consumer packaged goods and manufacturing industries.