MOLSON COORS BEVERAGE CO - (TAP)
10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
Our cybersecurity program is managed by a dedicated Global Chief Information Officer whose team, including the head of Information Technology Security, is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes. Our Global Chief Information Officer has over 35 years of relevant industry experience, including over 29 years at our Company. Our Senior Director of Information Security functions as our Chief Information Security Officer and has over 20 years of relevant industry experience. Further, team members who support our cybersecurity program have relevant educational and industry experience through various roles involving information technology, security, auditing, compliance, systems and programming, as well as cybersecurity certifications such as a Certified Information Systems Security Professional or Certified Information Security Manager. Our Board, Audit Committee and senior management receive periodic briefings from the Global Chief Information Officer and the Senior Director of Information Security, concerning cybersecurity, information security and technology risks, and our related risk mitigation programs. In general, the Board is responsible for overseeing our enterprise risk management program ("ERM Program").
30
The ERM Program is a proactive and ongoing process led by our legal and risk professionals and senior management, to identify, assess and manage risks and to build out and track mitigation and reduction efforts. The Board has tasked the Audit Committee with overseeing, reviewing and discussing with management, the internal audit team and the independent auditors, our ERM Program, policies and procedures with respect to, among other things, the assessment and management of risks related to our cybersecurity and information security and the steps management has taken to monitor and control such risks.
The Audit Committee is also responsible for overseeing risks related to our cybersecurity, technology and information security programs and reviewing emerging cybersecurity, technology and information security developments and threats and our strategy to mitigate such risks. The Audit Committee provides another level of cybersecurity oversight through engagements at each Audit Committee meeting with senior management, including our Global Chief Information Officer and the Senior Director of Information Security. These reports include updates on our cybersecurity risks, threats, and incidents; our efforts to monitor, prevent, detect, mitigate and remediate the same; regulatory updates; the status of our cybersecurity projects, programs, and assessments; and periodic updates on our cybersecurity staffing and related matters. The Audit Committee regularly reports to the Board regarding these matters.
We engage in the ERM Program process semi-annually, which addresses, among other matters, emerging cybersecurity threats and models our exposure to the threat landscape against the overall strategic objectives of our Company. We regularly engage cybersecurity industry experts to assess, audit and consult on our cybersecurity practices. Further, we engage Managed Security Service Providers to monitor our information technology ("IT") environment, help identify attacks, forensically investigate and remediate breaches, and assess and test our IT system security. We also operate a cyber controls assessment program to monitor our internal program in between external assessments. We have also implemented a cybersecurity awareness training program to facilitate initial and continuing education for employees on cybersecurity and related matters. Regular reviews are conducted to assess our information security programs and practices, including incident management, service continuity, information security compliance programs and related achievements.
In addition, we operate a third-party cyber risk management capability which monitors the exposure of significant IT suppliers, significant software as a service suppliers and major vendors with access to our IT systems. We also monitor for significant changes in our cybersecurity risk posture and attempt to remediate the risk through collaboration with that partner. We also monitor for known breaches of the IT supplier landscape.
As previously disclosed, during March 2021, we experienced a systems outage that was caused by a cybersecurity incident. We engaged leading forensic information technology firms and legal counsel to assist our investigation into the incident and we restored our systems. Despite these actions, we experienced delays and disruptions to our business, including brewery operations, production and shipments. This incident caused a shift in production and shipments from the first quarter of 2021 to the balance of fiscal year 2021. In addition, we incurred certain incremental one-time costs of $2.4 million for the year ended December 31, 2021, related to consultants, experts and data recovery efforts, net of insurance recoveries. See also Part I—Item 1A Risk Factors for the following risk: Cybersecurity incidents impacting our information systems, and violations of data privacy laws and regulations could disrupt our business operations and adversely impact our reputation and results of operations.
31