KIMBERLY CLARK CORP - (KMB)

10-K Filing Date: February 08, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We have implemented a cybersecurity program to assess, identify, and manage risks from cybersecurity threats. Our efforts are designed to maintain the confidentiality, integrity, and availability of our information and operational technology systems and the data stored on those systems. The program includes:
periodic risk assessments to identify and assess cybersecurity risks and vulnerabilities in our information technology systems;
security event monitoring, management, and incident response;
third party engagements to perform periodic penetration testing and reviews of program maturity based on the National Institute of Standards and Technology ("NIST") cybersecurity framework;
reviews by our internal audit team of the effectiveness of information technology-related internal controls;
cybersecurity risk assessments of our third-party vendors; and
employee training, including regular phishing simulations.
The program is continually adapting to the evolving threat landscape and technology developments.
Cybersecurity risk management is included within our overall enterprise risk management program which is overseen by our Global Risk Oversight Committee (“GROC”). The GROC is composed of executive officers and other senior leaders and coordinates with other risk assurance functions, including internal audit and compliance. The GROC receives regular briefings concerning cybersecurity risks and risk management processes.
Additional information on cybersecurity risks we face is discussed in Item 1A, "Risk Factors,” which should be read in conjunction with the information in this section.
Internal Cybersecurity Team
Our Chief Information Security Officer (“CISO”) oversees a team with extensive cybersecurity knowledge and experience. The team is responsible for:
leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes;
incident response and operational activities, including identifying and initiating updates to systems which require patching, vulnerability management strategy, red teaming, network security configurations and security architecture;

11
KIMBERLY-CLARK CORPORATION - 2023 Annual Report


oversight of third parties engaged to assist in our cybersecurity risk management, along with third parties’ vendors; and
legal and regulatory compliance.
Our CISO reports to our Chief Digital and Technology Officer (“CDTO”), an executive officer, who provides management of cybersecurity risks, reviews operational metrics and performs other relevant activities related to the cybersecurity function.
Security Policy and Requirements
As part of our overall risk management program, we have adopted our Information Security Policy which details the overall risk-based framework and governance for the management and security of our information technology assets and information. The policy applies to everyone who accesses our data or information resources and all of our information systems and resources, including third parties we engage. Our program aligns with the NIST cybersecurity framework.
Material Cyber Risks, Threats and Incidents
We actively monitor the evolving cybersecurity and geopolitical landscapes that could result in new or increased cybersecurity threat including geopolitical events such as the Russia invasion of Ukraine in March 2022.
As a global company serving consumers in more than 175 countries and territories, we routinely experience a wide variety of cybersecurity incidents. However, we have not experienced a cybersecurity incident that has materially affected or is reasonably likely to materially affect our business strategy, results of operation or financial condition. For a more detailed discussion of the risks we face, see Item 1A, "Risk Factors."
Incident Response
We have adopted a cybersecurity incident response plan that is designed to provide a framework across all functions for a coordinated identification and response to security incidents. The plan specifies the process for identifying, validating, classifying, documenting, and responding to cybersecurity events as well as determining whether reporting of an event is appropriate under regulatory standards. The plan also includes a materiality assessment framework that sets forth procedures to support our assessment of whether a security incident is “material” under the federal securities laws. Internal reporting and escalation protocols are in place to ensure the involvement of the CISO, other senior leaders, and the Audit Committee, as appropriate. Under the plan, we regularly conduct tabletop exercises to test our preparedness and our incident response process, and we provide ongoing training.
Governance
Our Board of Directors has delegated to the Audit Committee oversight responsibility of our risk management program, including cybersecurity, business continuity, IT operational resilience, and data privacy. The Audit Committee receives quarterly reports from our CDTO and our CISO covering cybersecurity risks, strategic programs for managing cybersecurity risk, emerging trends and operational and policy compliance metrics.
At the management level, our cybersecurity program is led by our CDTO and our CISO. Our CDTO has served in various information technology roles for over 26 years, including as Chief Digital and Technology Officer of Kimberly-Clark and as Executive Vice President and Chief Digital Officer of Toyota Motors North America, Inc. Our CISO has served as a chief information security officer or equivalent role at large public and private companies for over 16 years. Our CISO also has several information technology-related certifications, including the Certified Information Systems Security Professional ("CISSP") certification. Our CISO reports to our CDTO, who in turn regularly reports to our Chairman of the Board and Chief Executive Officer. We have protocols by which certain cybersecurity incidents are reported promptly to the Chairman of the Board and Chief Executive Officer, or the Audit Committee, as appropriate.


12
KIMBERLY-CLARK CORPORATION - 2023 Annual Report