PEPSICO INC - (PEP)
10-K Filing Date: February 08, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
We are regularly subject to cyberattacks and other cyber incidents. In response, we have implemented cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage cybersecurity risks. Our enterprise risk management framework considers cybersecurity risk alongside other company risks as part of our overall risk assessment process. Our enterprise risk management team collaborates with our Information Security function, led by the Company’s Chief Strategy and
24
Transformation Officer and the Company’s Chief Information Security Officer, to gather insights for identifying, assessing and managing cybersecurity threat risks, their severity, and potential mitigations.
We assess PepsiCo’s Information Security program using an industry-leading cybersecurity framework from the National Institute of Standards and Technology. To help assess and identify our cybersecurity risks, we maintain internal resources to perform penetration testing designed to simulate evolving tactics and techniques of real-world threat actors, engage with industry partners and law enforcement and intelligence communities and conduct tabletop exercises and periodic risk interviews across our business. We also engage an independent third party to perform internal and external penetration testing of PepsiCo’s environment periodically and engage other third parties to periodically conduct assessments of our cybersecurity capabilities. In addition, we continue to expand training and awareness practices to mitigate human risk, including mandatory computer-based training, internal communications, and regular phishing awareness campaigns that are designed to emulate real-world contemporary threats and provide immediate feedback (and, if necessary, additional training or remedial action) to employees.
Our processes also address cybersecurity risks associated with our use of third-party service providers including suppliers, software and cloud-based service providers. We proactively evaluate the cybersecurity risk of a third party by utilizing a repository of risk assessments, external monitoring sources, threat intelligence and predictive analytics to better inform PepsiCo during contracting and vendor selection processes. Additionally, when third party risks are identified, we require those third parties to agree by contract to implement appropriate security controls. Security issues are documented and tracked and periodic monitoring is conducted for third parties in order to mitigate risk.
In addition to the processes, technologies, and controls that we have in place to reduce the likelihood of a successful material cyberattack, the Company has established well-defined response procedures to address cyber events that do occur. The program provides for the coordination of various corporate functions and governance groups and serves as a framework for the execution of responsibilities across businesses and operational roles. Our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to assess for potential disclosure, comply with potentially applicable legal obligations and mitigate brand and reputational damage. We also maintain insurance coverage that, subject to its terms and conditions, is intended to address costs associated with certain aspects of cyber incidents and information systems failures.
Based on the information we have as of the date of this Form 10-K, we do not believe any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. See “Item 1A. Risk Factors” for further information about these risks.
Cybersecurity Governance
Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. Given that cybersecurity risks can impact various areas of responsibility of the Committees of the Board, the Board believes it is useful and effective for the full Board to maintain direct oversight over cybersecurity matters. In 2021, the Board amended our Corporate Governance Guidelines to specifically mention cybersecurity as an area of Board oversight to reflect this existing practice. The Board receives and provides feedback on regular updates from management, including from the Company’s Chief Strategy and Transformation Officer and the Company’s Chief Information Security Officer, regarding cybersecurity governance processes, the status of projects to strengthen internal cybersecurity, results from third-party assessments, and also discusses any significant cyber incidents, including recent incidents at other companies and the emerging threat landscape.
25
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by the Company’s Chief Strategy and Transformation Officer and the Company’s Chief Information Security Officer. Such individuals have significant prior work experience in various roles across multiple industries involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and managing compliance environments.
These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.