Kraft Heinz Co - (KHC)
10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
The Company assesses, identifies, and manages cybersecurity risk using a data-driven risk management program intended to reduce risks to the following impact classes: the Company’s obligations to prevent harm to parties, including employees, customers, and stockholders; and the Company’s business objectives.
As part of our cybersecurity strategy, we set risk targets based on our risk thresholds using industry-recognized standards for controlling and evaluating the risk of cybersecurity threats. The Company has developed cybersecurity policies supported by defined standards, including identity and access control, network controls, operational security, information classification, cybersecurity risk management, incident management and reporting, and security in software development lifecycle.
We undertake scheduled and targeted cybersecurity risk assessments to identify and prioritize risks to our three impact classes so that foreseeably harmed parties (which include our employees, contractors, partners, customers, stockholders, consumers, and suppliers) are explicitly included in our risk analysis and risk management priorities. We plan for, implement, and improve safeguards that are designed to reduce unacceptable risks to any foreseeably harmed party. We engage third-party service providers (including contractors and vendors) as part of our normal business operations, including collaborating with third-party experts to assist with evaluating, identifying, and managing our cybersecurity risks.
22
Our cybersecurity risk management program includes:
•Ongoing audits of third-party service providers, including penetration testing and reviews of program maturity based on the National Institute of Standards and Technology (“NIST”) cybersecurity framework;
•Due diligence reviews of third-party service providers’ information security programs;
•Regular phishing, social engineering, and cybersecurity awareness training for employees with Company emails and access to connected devices;
•Annual tabletop exercises to educate and train our personnel on response capabilities and inform adjustments to our controls and response;
•Regular consultation with external advisors and specialists regarding opportunities and enhancements to strengthen our cybersecurity practices and policies;
•Ongoing cybersecurity event monitoring, management, and testing of incident response procedures; and
•Ongoing enhancements to cybersecurity capabilities based on evolving threats.
We have adopted an incident response plan that applies in the event of a cybersecurity threat or incident to provide a standardized framework for responding to such cybersecurity incidents. The plan sets out a coordinated approach to investigating, containing, documenting, and mitigating incidents, including reporting findings and keeping senior management, the Board, and other key stakeholders informed and involved as appropriate. The plan is aligned to NIST guidance. It also adheres to standards of practice and includes the involvement of any personnel who may detect incidents, respond to incidents, resolve incidents, and manage communications and responsibilities with authorities about those incidents. The plan applies to all Company personnel (including third-party contractors, vendors, and partners) that perform functions or services requiring access to secure Company information, and to all devices and network services that are owned or managed by the Company.
We also employ systems and processes designed to oversee, identify, and reduce the potential impact of a cybersecurity incident at a third-party service provider. We maintain a third-party cyber risk management process to review and monitor potentially material third-party service providers’ security controls. Third-party service providers are required to provide independent attestation reports of their control environment, which are reviewed to validate that the controls meet Company security requirements. In the absence of such reports, third-party service providers are required to complete a detailed questionnaire describing their controls and provide relevant documentation. As part of the third-party risk management process, we request and review annual penetration test reports for the third-party service providers designed to assess whether all high and medium risk findings are addressed. The control environments for third-party service providers are reviewed annually.
Our cybersecurity risk mitigation strategy includes the use of cybersecurity insurance that provides protection against certain potential losses arising from certain cybersecurity incidents.
Risk management concerns, priorities, and progress are reported to the Company’s Enterprise Risk Committee quarterly as part of the Company’s overall enterprise risk management process. Risk management reports describe cybersecurity priorities, planned safeguards, and resource requirements necessary to achieve acceptable risk outcomes for foreseeably harmed parties.
The Company governs cybersecurity risk through a risk management program designed to enable employees, members of the Audit Committee, Enterprise Risk Committee, executive officers, and other personnel to make informed decisions about cybersecurity risk management that are appropriate for their level of responsibility. Our Chief Information Security Officer (“CISO”) oversees the team responsible for leading enterprise-wide information security strategy, policy, standards, architecture, and processes. Our CISO has extensive cybersecurity knowledge and skills gained from more than 20 years of work experience in information security in the consumer goods, banking, legal, healthcare, and education sectors as well as the government. Our CISO holds a master’s degree in computer and information systems security/information assurance and designations as a Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM). The CISO evaluates cybersecurity risks, plans for reduction of risks, directs resources and priorities to improve cybersecurity safeguards, measures the results of those efforts, reports to our senior and executive leaders (including our Global Chief Information Officer and Global Chief Financial Officer), the Enterprise Risk Management Committee, and the Audit Committee regarding our cybersecurity risk priorities and progress, and solicits support from senior and executive leaders to further reduce risks through resources, prioritization, or other means. The CISO receives reports on cybersecurity threats from our Security Operations Center, external threat intel, trusted third-party security suppliers, and a peer network of CISOs at other global companies on an ongoing basis. Our Security Operations Center verifies and validates the threat information and modifies our detection and preventative controls as appropriate. Our CISO works closely with our Chief Global Ethics and Compliance Officer and Chief Legal and Corporate Affairs Officer to oversee compliance with legal, regulatory, and contractual security requirements. The CISO’s team evaluates third-party service providers to a degree commensurate with the risk their services pose to us. As part of that program, we also provide feedback to service providers about risks they can reduce using commercially available safeguards. Additionally, the information security team works in partnership with the Company’s internal audit team to review information technology-related internal controls as part of our overall internal controls process.
23
The Audit Committee is responsible for oversight of the Company’s information technology and cybersecurity risks. To fulfill its oversight responsibilities, the Audit Committee reviews the measures implemented by the Company to identify and mitigate cybersecurity risks and the Audit Committee receives updates from our Global Chief Information Officer and CISO at least twice a year, which cover topics related to information security, privacy, and cybersecurity risks, and the risk management processes, including the status of significant cybersecurity incidences, the emerging threat landscape, and the status of projects to strengthen the Company’s information security posture. The Audit Committee regularly reports to the Board on information technology, cybersecurity, and privacy matters. We have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated within the Company and, where appropriate, reported promptly to the Audit Committee or Board, with ongoing updates regarding any such incident until it has been addressed.
We also rely on information technology, third-party service providers, and strategic joint venture partners to support our business and operations, including our secure processing of personal, confidential, financial, sensitive, proprietary, and other types of information, and to enable our service offerings. Despite ongoing efforts to improve our and third parties’ ability to protect against cybersecurity threats, we may not be able to protect all information systems, products, and service technologies.
While we have not experienced any material cybersecurity threats or incidents as of the date of this Annual Report on Form 10-K, there can be no guarantee that we will not be the subject of future successful attacks, threats, or incidents that may materially affect the Company or its business strategy, results of operations or financial condition. Additional information on cybersecurity-related risks is discussed under the heading “We are significantly dependent on information technology, and we may be unable to protect our information systems against service interruption, misappropriation of data, or breaches of security.” under Item 1A, Risk Factors.