US Foods Holding Corp. - (USFD)
10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We invest in a comprehensive cybersecurity program that applies a recognized framework, utilizes industry standard tools, relies on expert partners, connects associates across the organization and leverages communication to protect our systems and our data.
Our cybersecurity program is designed to protect the confidentiality, integrity and availability of critical assets and information, using a proactive and risk-based approach. We utilize the National Institute of Standards and Technology (“NIST”) Cyber Security Framework to define and regularly reassess our cybersecurity program. The NIST framework is structured around five commonly defined stages (Identify, Protect, Detect, Recover and Respond) and is a comprehensive approach to information and cybersecurity risk management. Our policies, including our Information Security Policy and Privacy Policy, and procedures are designed to align with industry best practices and comply with regulatory requirements. We align our payment processing policies and procedures with industry security standards, including the Payment Card Industry Data Security Standard. Throughout the year, we conduct targeted audits and assessments, using internal and external resources, of certain aspects of our information security systems. We have developed and implemented a comprehensive program designed to protect the confidentiality of sensitive information, ensure the integrity of critical data and automated processes, and safeguard the availability of our information technology capabilities.
Moreover, we have implemented appropriate policies, processes, and technology to reduce the likelihood or impact of a breach, either at US Foods or through any third-party service provider, and have appropriate cyber insurance coverage through a standalone cyber policy. Our comprehensive cybersecurity program leverages technology, third-party expertise and trained personnel to provide whole-enterprise governance, collaboration for 24-hour monitoring, threat detection and incident response (whether an incident were to occur at US Foods or involving a third-party provider) and network, cloud and mobile security. We partner with security firms to manage our security incident and event management, identify external threats, perform penetration testing, complete security assessments and support incident response. These relationships are evaluated and benchmarked regularly to ensure quality resourcing to augment our internal staff and provide insight into emerging risks inside and outside the foodservice industry. Information obtained from these processes is shared directly with our Internal Audit and Legal functions to ensure cybersecurity policies, processes, threat detection and incident response are accurately captured as part of our broader enterprise risk management systems and processes. We have developed and continually evolve our privacy and security policies to promote organizational accountability for privacy, data governance, and data protection across our business and with our collaborative partners and suppliers.
19
In addition, we have an employee awareness program to regularly educate our workforce on the cybersecurity risks they face and how they can operate safely. We provide all associates that have network access with annual data-security training. Our training and education programs include specialized training for associates handling confidential information, information security awareness training, periodic anti-phishing campaigns, one-click email-enabled phish alert reporting functionality and advisory emails on emerging threats.
To date, we have not experienced any cybersecurity incidents that materially affected or were reasonably likely to materially affect our business strategy, results of operations or financial condition.
Governance Framework
Under the oversight of the Audit Committee of our Board of Directors, our cybersecurity function is managed by our Technology and Innovation team, led by our Senior Vice President, Chief Information Security Officer, Sara Schmidt, with support from the Internal Audit and Legal functions. Ms. Schmidt has served in the role since 2022. Before joining US Foods, Ms. Schmidt served as Chief Information Security Officer for Farmers Insurance, a national insurance company, from 2019 to 2022, and various other positions from 2015 to 2019. Ms. Schmidt began her career as a cryptography analyst with the National Security Agency, learning best practices and tactics to be an effective hacker and defender. After eight years with the NSA, she transitioned into the private sector, joining Perrigo Company from 2011 to 2015, before joining Farmers Insurance.
Ms. Schmidt and other members of Company management provide an annual cybersecurity report to our Board of Directors and quarterly reports to our Audit Committee, which reports include a review of potential threats and vulnerabilities.
We are aware that we must continuously evolve our controls to address new threats, adhere to changing laws and standards, and reduce the risk associated with the introduction of new, innovative technology. While all of our employees play a part in information security, cybersecurity, and data privacy, oversight responsibility is shared by the Board, its committees, and management, as further highlighted below.
Responsible Party | Oversight Area for Cybersecurity and Privacy Matters | |||||||
Board | Participates in regular reviews and discussions dedicated to the Company’s risks related to the protection of our data and systems, including cybersecurity and privacy. Receives periodic updates from external advisors regarding cybersecurity risk management and reporting. | |||||||
Audit Committee | Primarily responsible for overseeing the Company’s risk management program related to cybersecurity. The Audit Committee provides feedback on the Company’s framework for assessing, prioritizing and mitigating cybersecurity risk and receives periodic updates based on this framework, including from third-party and internal audit assessments. Receives periodic updates from external advisors regarding cybersecurity risk management and reporting. | |||||||
Disclosure Committee | The Disclosure Committee, which consists of individuals from our legal, accounting, finance and investor relations groups, provides general oversight in the area of cybersecurity and privacy, and is responsible for making disclosure determinations regarding cybersecurity incidents. The Disclosure Committee also receives periodic updates from the Chief Information Security Officer regarding threat detection and incident response. | |||||||
Management | Responsible for designing, implementing and managing the Company’s framework for assessing, prioritizing and mitigating cybersecurity risk. Manages the Company’s privacy program. Responds to incidents and issues in a timely manner, and elevates emergent risks or incidents to the Disclosure Committee. Provides periodic updates to the Board, the Audit Committee and the Disclosure Committee, as applicable. |
20