Reynolds Consumer Products Inc. - (REYN)
10-K Filing Date: February 07, 2024
ITEM 1C. CYBERSECURITY
Governance
Our information security program is managed by a dedicated Chief Information Security Officer (“CISO”), whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes, including assessing and managing our material risks from cybersecurity threats. The CISO is a Certified Information Systems Security Professional (“CISSP”), and has over 20 years of experience holding various roles in information technology and cybersecurity. The Audit Committee of our Board of Directors is charged with oversight of cybersecurity matters, including oversight of risks from cybersecurity threats.
The CISO provides quarterly reports to the Audit Committee, as well as more frequent reports to our Chief Executive Officer and other members of our senior management. These reports include updates on our cyber risks and threats, the status of projects to strengthen our information security systems, assessments of our information security program, and the emerging threat landscape. Our cybersecurity program is regularly evaluated by internal and external experts, with the results of those reviews reported to senior management and the Audit Committee. We also actively engage with key vendors, industry participants and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures.
Risk Management and Strategy
We have a comprehensive cybersecurity and information security framework that includes risk assessment and mitigation through a threat intelligence-driven approach, application controls and enhanced security with ransomware defense. The framework leverages International Organization for Standardization 27001/27002 standards for general information technology controls, the National Institute of Standards and Technology Cyber Security Framework for measuring overall readiness to respond to cyber threats, and Sarbanes-Oxley Act for assessment in internal controls. Our cybersecurity processes are integrated into our overall risk management system, and include a comprehensive cyber crisis management program that would apply if a cybersecurity related incident were to occur.
We perform simulations, tabletop exercises and response readiness tests on an annual basis. In addition, we engage external consultants to perform penetration testing at least annually. Our cyber crisis management program includes a documented plan that provides guidance to address the overall coordination of our response to a cyber crisis and plan for resources, actions and decisions we may need to be prepared for; a cyber crisis communication plan for timely and accurate dissemination of evolving information to stakeholders during the crisis, including the timeline, approval process and monitoring of messaging; and business continuity plans that document the application of specific strategies and measures to enable core business activities to continue during a cyber event. The ongoing development and maturity of our cyber crisis management program is reported to senior management quarterly. Tabletop testing of the various plans occur annually with quarterly preparedness exercises.
With respect to third-party service providers, we perform information security assessments and due diligence reviews prior to entering into a contractual agreement. We also perform periodic due diligence reviews for existing third-party service providers based on the risks identified in the initial review, or if events and circumstances necessitate a review.
Refer to "A cyber-attack or failure of one or more key information technology systems, operational technology systems, networks, processes, associated sites or service providers could have a material adverse impact on our business and reputation" in Item 1A. "Risk Factors" for information regarding material risks from cybersecurity threats that affect us.