Mondelez International, Inc. - (MDLZ)
10-K Filing Date: February 02, 2024
Item 1C. Cybersecurity.
We are committed to our goal to protect sensitive business-related and personal information, as well as our information systems. Due to the size and scope of our global operations, we are subject to numerous and evolving cybersecurity risks that could adversely and materially affect our business, financial condition and results of operations.
Our Management Leadership Team, with oversight from the Board of Directors, has implemented a comprehensive cybersecurity program, including incident response process, aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST Computer Security Incident Handling Guide (NIST SP 800-61) to assess, identify, address and manage risks from cybersecurity threats that may result in material adverse effects on the confidentiality, integrity and availability of our business and information systems.
Governance
Our Board of Directors and Management Leadership Team review cybersecurity risks as part of their oversight and execution of the Company’s business operations and strategy. We have established oversight mechanisms intended to provide effective cybersecurity governance, risk management, and timely incident response.
Board of Directors Oversight
Our Board, in coordination with the Audit Committee, oversees the Company’s enterprise risk management process, including the management of risks arising from cybersecurity threats. Our Board has delegated the primary responsibility to oversee cybersecurity matters to the Audit Committee. Both the Board and the Audit Committee periodically review the measures we have implemented to identify and mitigate data protection and cybersecurity risks.
As part of such reviews, our Board and Audit Committee receive periodic reports and presentations from members of the team responsible for overseeing cybersecurity risk management, including our Chief Information Security Officer (CISO), which may address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, technological trends and information security considerations arising with respect to our peers and third parties. Members of our Management Leadership Team also report to the Board at least annually on data protection and current internal and external developments in cybersecurity, as part of the Board’s enterprise risk management review, and the Board receives reports of Audit Committee discussions regarding its oversight of cybersecurity risk. We have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated internally and, where appropriate, reported to the Audit Committee or the Board in a timely manner.
Management Role in Cybersecurity Risk Management
At the management level, our CISO has extensive cybersecurity knowledge and skills gained from over 20 years of work experience at Mondelēz and other major consumer goods and financial services companies. Our CISO currently reports to our Chief Financial Officer and has operational responsibility for our information security programs, protections, and efforts, along with leading the team responsible for implementing, monitoring, and maintaining cybersecurity and data security strategy, policy, standards, architecture, and practices across our business. Our CISO is supported by a team of enterprise information system security and risk professionals, including regional information security officers responsible for overseeing cybersecurity strategy and operations in each business unit. Our CISO receives reports on cybersecurity threats on an ongoing basis and regularly reviews risk management measures implemented by the Company to identify and mitigate data security and cybersecurity risks. Our CISO updates the Management Leadership Team on these matters and works closely with Corporate and Legal Affairs to oversee compliance with legal, regulatory, and contractual security requirements.
Cybersecurity Steering Committee
Our Cybersecurity Steering Committee currently includes our CEO, CFO, CISO, General Counsel and Chief Ethics & Compliance Officer and has broad oversight of our cybersecurity risk management processes, in coordination with the rest of the Management Leadership Team and the Board. The Cybersecurity Steering Committee has been established to meet and to discuss our cybersecurity risk management measures designed to identify and mitigate
27 |
data protection and cybersecurity risks, along with procedures and practices related to incident response, including escalation and notification.
Risk Management and Strategy
Cybersecurity risk management is overseen both as a critical component of our overall risk management program and as a standalone program. We have implemented a risk-based, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
Our cybersecurity program is designed to leverage people, processes, and technology to identify and respond to cybersecurity threats in a timely manner. Our vendor cybersecurity risk management program supports the planning, automation, and management of cybersecurity risk with enrolled suppliers and other third parties, focusing on risk-based assessments. Our employees undergo annual security awareness training to enhance their understanding of cybersecurity threats and their ability to identify and escalate potential cybersecurity events. We also employ systems and processes designed to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use.
We assess, identify, and manage risks from cybersecurity threats through various mechanisms, which may include tabletop exercises to test our preparedness and incident response process, business unit assessments, control gap analyses, threat modeling, penetration tests, vulnerability scanning, internal audits, and external audits of our cybersecurity program. We also leverage assessors, consultants, auditors and third-party service providers, including threat intelligence to inform our understanding of the cybersecurity threat landscape and enable risk-based measures to defend against evolving threats.
Incident Response
We have a Cybersecurity Incident Response Plan (“CSIRP”) to provide the organizational and operational structure, processes, and procedures for investigating, containing, documenting and mitigating cybersecurity incidents, including keeping senior management and other key stakeholders informed and involved as appropriate.
Our Cybersecurity Incident Response Team manages and executes technical response activities in coordination with our Security Operations Center, subject matter experts and others to respond to a cybersecurity incident. The objectives of the CSIRP include to:
•Establish the Company’s cybersecurity incident response process and provide actionable guidelines to provide a timely, consistent, and repeatable response process;
•Describe the requirements and expectations for cybersecurity incident response;
•Set forth the roles and responsibilities for cybersecurity incident response personnel;
•Establish cybersecurity incident classification, escalation, and prioritization parameters;
•Confirm the documentation process for cybersecurity incidents affecting the Company and the Company’s responses are appropriately documented;
•Establish protocols for materiality determinations for cybersecurity incidents under the SEC’s cybersecurity rules;
•Establish the process for assessing when public disclosure and external communications may be required; and
•Mitigate or minimize the effects of a cybersecurity incident on the Company, its personnel, customers, consumers, or others and limit financial, operational, legal, and reputational impact.
Material Cybersecurity Risks, Threats & Incidents
We also rely on information technology and third-party vendors to support our operations, including our secure processing of personal, confidential, sensitive, proprietary and other types of information. Despite ongoing efforts to continuously improve our and our vendors’ ability to protect against cyber incidents, we may not be able to protect all information systems, and such incidents may lead to reputational harm, revenue and client loss, legal actions, statutory penalties, among other consequences. While we have not experienced any material cybersecurity threats or incidents in recent years, there can be no guarantee that we will not be the subject of future threats or incidents. Additional information on cybersecurity risks we face can be found in Item 1A, Risk Factors, which should be read in conjunction with the foregoing information.
28 |