TreeHouse Foods, Inc. - (THS)

10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity
Risk Management and Strategy

Our cybersecurity program and controls are designed to assess, identify, and manage material risks from cybersecurity threats, and protect and preserve the confidentiality, integrity, and continued availability of all information owned by, or in the care of, the Company. Cybersecurity risks are incorporated into the Company’s broader Enterprise Risk Management process to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. As part of the cybersecurity program, our information systems are monitored by automated tools and the Information Security team. The Company’s Security Incident Management Process outlines the procedures the Company believes are necessary to prepare for, identify, contain, eradicate, and recover from a security incident, and is overseen by the Information Security team. We have also adopted a Cybersecurity Incident Response Plan to provide organizational and operational structure, processes, and procedures to Company personnel, so that team members can properly respond to incidents that may affect the function and security of our IT assets, information resources, and business operations. We conduct regular information security awareness training for employees and provide related educational materials.

We also have processes to oversee and identify material risks from cybersecurity threats associated with our use of third-party service providers. Our managed security service provider performs security reviews of select third party service providers that include such provider’s system and organization controls or third party security assessments. We monitor and assess the information gathered by our security tools and services to identify gaps, exposures, or weaknesses in our overall security posture, and engage reputable external specialists to provide independent assessments of our cybersecurity program and response preparedness. Further, the Company’s enterprise level IT general controls are audited annually.

Impact of Cybersecurity Risks and Threats
We are not aware of having experienced any risks from cybersecurity threats or incidents through the date of this Report that have materially affected the Company, its business strategy, results of operation or financial condition or are reasonably likely to have such an effect over the long term. This does not guarantee that future incidents or threats will not have a material impact or that we are not currently the subject of an undetected incident or threat that may have such an impact.

Additional information on cybersecurity risks we face is discussed in Part I, Item A – Risk Factors, which should be read in conjunction with the foregoing information.

Governance

Board of Directors
Our Board of Directors oversees our Enterprise Risk Management program, and cybersecurity risks are monitored as a part of the broader program. Our Board has delegated the primary responsibility to oversee risks from cybersecurity threats to the Audit Committee. The Audit Committee regularly reviews the measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Our Audit Committee receives quarterly updates from the Chief Information Officer ("CIO") on significant risks, cyber incidents, key performance indicators measuring the effectiveness of our cybersecurity risk program, and other relevant matters. The Audit Committee regularly briefs the Board on these updates, and the Board also receives periodic briefings on cybersecurity risk as part of the Company’s broader Enterprise Risk Management program. These risks, including current and emerging risks, are regularly evaluated by the Audit Committee and the Board. In addition to the regular updates to the Audit Committee, we have protocols by which certain cybersecurity incidents and threats are escalated within the Company and, where appropriate, reported in a timely manner to the Board and Audit Committee.

Management
Our CIO is responsible for our information security program and controls, which includes cybersecurity risk management. Our VP, Information Technology leads our cybersecurity program and Information Security team, which is responsible for assessing and managing the Company’s material risks from cybersecurity threats and executing our information security controls. The CIO and VP, Information Technology have extensive cybersecurity knowledge and skills gained from each having over 20 years of relevant experience. The CIO and VP, Information Technology are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents through reports from the Information Security team and regularly reviewing risk management measures implemented by the Company to identify and mitigate cyber security risks.


19