CHURCH & DWIGHT CO INC /DE/ - (CHD)

10-K Filing Date: February 15, 2024
ITEM 1C. CYBERSECURITY

 

Cybersecurity Risk Management and Strategy

We collect, use and store personal information of our employees, consumers and other third parties in the ordinary course of business. In addition, we sell certain products directly to consumers online and through websites, mobile apps and connected devices, and we offer promotions, rebates, loyalty and other programs through which our data systems may receive personal information. We recognize the importance of data privacy and security and are committed to safeguarding and protecting our information and any other information entrusted to us. We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information which is integrated with our overall risk management program. Our cybersecurity risk management program includes a cybersecurity incident response plan to respond to security breaches and cyberattacks. Our cybersecurity incident response plan is part of our overall Information Security Program, which is led by the Company’s Vice President, Global Chief Information Security Officer ("CISO") and overseen by the Company’s Senior Vice President, Global Chief Information Officer, and is designed to protect and preserve the confidentiality, integrity and continued availability of all information owned by, or in the care of, the Company, and the Company’s ability to operate. Our cybersecurity incident response plan includes controls and procedures for timely and accurate reporting of any material cybersecurity incident. We design and assess our program based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

 

Our cybersecurity risk management program includes:

risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our global enterprise IT environment;
a security team responsible for managing our (1) cybersecurity risk assessment processes, (2) security controls, and (3) response to security breaches and cyberattacks;
the use of external service providers, where appropriate, to assess, perform tabletop exercises or otherwise assist with aspects of our security controls and designed to anticipate cyberattacks and respond to breaches, including an annual maturity assessment of our program by an external third-party;
cybersecurity awareness training of our employees and contractors, incident response personnel, and senior management to help them better understand the issues and risks relative to cybersecurity, as well as data privacy (for our employees);
Periodically throughout the year, our IT department performs phishing and other exercises to both test our systems and reinforce training of our personnel;
a cybersecurity incident response plan managed by our CISO that includes procedures for responding to cybersecurity incidents and is designed to protect and preserve the confidentiality, integrity and continued availability of all information possessed by the Company; and
a third-party risk management process for service providers, suppliers, and vendors.

We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or cash flows.

 

Cybersecurity Governance

Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management’s implementation of our cybersecurity risk management program, including reviewing risk assessments from management with respect to our information technology systems and procedures, and overseeing our cybersecurity risk management processes.

The Audit Committee, which is tasked with oversight of certain risk issues, including cybersecurity, receives reports from the Senior Vice President, Global Chief Information Officer and the Vice President, Chief Information Security Officer each quarter. At least annually, the Board of Directors and the Audit Committee also receive updates about the results of exercises and response readiness assessments led by

30


 

outside advisors who provide a third-party independent assessment of our technical program and our internal response preparedness. The Audit Committee regularly briefs the full Board of Directors on these matters, and the full Board also receives periodic briefings regarding our Information Security Program and cyber threats, including threats faced by our peers, in order to enhance our directors’ literacy on cyber issues. In addition, management will update the Audit Committee, as necessary, regarding cybersecurity incidents, that we may experience.

Our management team, including our Chief Information Officer, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and oversees both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management team’s cybersecurity risk management is led by our CISO, who has significant experience across digital innovation and technology-enabled growth, information security, infrastructure, operations and compliance.

Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.