COCA COLA CO - (KO)
10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We face various cyber risks, including, but not limited to, risks related to unauthorized access, misuse, data theft, computer viruses, system disruptions, ransomware, malicious software and other intrusions. We utilize a multilayered, proactive approach to identify, evaluate, mitigate and prevent potential cyber and information security threats through our cybersecurity risk management program. Our cybersecurity risk management program is integrated into our broader Enterprise Risk Management (“ERM”) program, which is designed to identify, assess, prioritize and mitigate risks across the organization to enhance our resilience and support the achievement of our strategic objectives. This integrated approach helps ensure that cyber risks are not viewed in isolation, but are assessed, prioritized and managed in alignment with the Company’s operational, financial and strategic risks, assisting the Company in more effectively managing interdependencies among risks and enhancing risk mitigation strategies.
We devote significant resources to protecting the security of our computer systems, software, networks and other technology assets. Our efforts are designed to adapt with the evolution of information security risks and appropriate best practices and include physical, administrative and technical safeguards. Our practices are generally developed from, and benchmarked against, recognized cybersecurity frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework. Our newly acquired businesses and consolidated bottling operations maintain separate cybersecurity programs and processes that may differ in scope and complexity from the Company’s overall cybersecurity programs and processes. However, for all consolidated entities, our cybersecurity risk management program is designed to help coordinate the Company’s identification of, response to and recovery from, cybersecurity incidents and includes processes to triage, assess the severity of, escalate, contain, investigate and remediate incidents, as well as to comply with applicable legal obligations.
Our internal audit team assesses the effectiveness of our internal controls relating to cybersecurity. Our management team also engages certain outside advisors and consultants to assist in the identification, oversight, evaluation and management of cybersecurity risks on a regular basis, as well as to advise on specific topics. For example, we conduct tests that help discover potential vulnerabilities, including external penetration testing and tabletop and other exercises, to evaluate our core information systems and cybersecurity practices that enable improved decision-making and prioritization, as well as to promote monitoring and reporting across compliance functions. As part of our overall risk mitigation strategy, the Company also maintains cyber insurance coverage; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyberattacks and other related breaches.
In order to oversee and identify risks from cybersecurity threats associated with the Company’s independent bottling partners, distributors, wholesalers, retailers and other business partners, as well as our use of third-party service providers, we maintain a third-party risk management program designed to help protect against the misuse of information technology. We have various processes and procedures to evaluate cybersecurity threats associated with third parties, including requiring key third-party service providers to complete initial and periodic security assessments. In addition, our Global Chief Information Security Officer (“CISO”) and other senior leaders regularly meet with key bottling partners to discuss cybersecurity risks and
26
mitigation programs in order to advance risk management capabilities and proactively share cybersecurity guidelines and best practices.
We have not identified any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of our operations, or financial condition. However, we have been the target of cyber attacks and expect them to continue as cybersecurity threats have been rapidly evolving in sophistication and becoming more prevalent in the industry. We cannot eliminate all risks from cybersecurity threats or provide assurances that we have not experienced an undetected cybersecurity incident in the past or that we will not experience such an incident in the future. For more information on the risks from cybersecurity threats that we face, refer to Part I, “Item 1A. Risk Factors.”
Cybersecurity Governance and Oversight
The Company’s cybersecurity risk management program is supervised by our CISO, who reports directly to the Company’s Chief Information Officer (“CIO”). The CISO and his team are responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes. Our current CISO received his Master of Business Administration degree from Columbia University and has over 20 years of cybersecurity experience, including relevant prior senior leadership positions held with three other large companies.
The CISO chairs the Company’s Cybersecurity Oversight Council, a cross-functional management committee that drives awareness, ownership and alignment across broad governance and risk stakeholder groups for effective cybersecurity risk management. The Cybersecurity Oversight Council is sponsored by the Company’s Global General Counsel and CIO and is composed of senior leaders from our privacy, legal, information technology, cybersecurity, internal audit and global security and asset protection functions, among others. Subject matter experts are also invited, as appropriate. The Cybersecurity Oversight Council meets at least quarterly and has responsibility for oversight and validation of the Company’s cybersecurity strategic direction, risks and threats, priorities, resource allocation, capabilities and planning. The Cybersecurity Oversight Council acts in alignment with the Company’s Risk Steering Committee, another cross-functional management committee, which provides strategic direction and oversight over the Company’s ERM program. The CISO and his team, as well as the Cybersecurity Oversight Council, are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents in accordance with the Company’s cyber incident response plan.
The Audit Committee of the Board of Directors is charged with oversight of cybersecurity matters and receives regular reports from the CISO and the CIO on, among other things, the Company’s cyber risks and threats, the status of projects to strengthen the Company’s information security systems, assessments of the Company’s security program and the emerging threat landscape. In accordance with our cyber incident response plan, the Audit Committee is promptly informed by management of cybersecurity incidents with the potential to materially adversely affect the Company or its information systems and is regularly updated about incidents with lesser impact potential. The Chair of the Audit Committee regularly briefs the full Board on these matters. In addition, the Board also periodically receives cybersecurity updates directly from management.
In an effort to detect and defend against cyber threats, the Company annually provides its employees with various cybersecurity and data protection training programs. These programs cover timely and relevant topics, including social engineering, phishing, password protection, confidential data protection, asset use and mobile security, and educate employees on the importance of reporting all incidents promptly to the Company’s centrally managed cyber defense and security operations.