Lamb Weston Holdings, Inc. - (LW)
10-K Filing Date: July 24, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We assess, identify, and manage material risks from cybersecurity threats through our cybersecurity risk management program. This program includes cybersecurity policies, standards, and procedures, a cybersecurity incident response plan, regular risk assessments, including as part of our annual enterprise risk management (“ERM”) assessment, testing of the Company’s internal infrastructure to identify vulnerabilities, cybersecurity insurance, procedures for recovering from disruptions to our operations, workforce cybersecurity trainings, and third-party assessments and programs. We maintain a cybersecurity incident response plan to help enable timely, consistent responses to actual or attempted cybersecurity incidents impacting the Company. This plan provides guidance to address the overall coordination of our response to a cybersecurity crisis and plan for resources, actions, and decisions we may need to be prepared for; a communication plan for timely and accurate dissemination of evolving information to stakeholders during the crisis; and business continuity plans that document strategies and measures to enable core business activities to continue during a cybersecurity event. To support our cybersecurity incident response plan, we conduct tabletop exercises to educate and train our management on response capabilities and inform adjustments to our controls and response. We have engaged third-party cybersecurity firms to advise on these exercises. The status and ongoing enhancement of our cybersecurity risk management program is reported to senior management, as well as the Audit Committee of our Board, on a quarterly basis, or more frequently as warranted.
As part of our broader risk management and control framework, we have implemented cybersecurity controls over the information technology and process control systems of the Company and of our third-party service providers, to support the oversight and identification of risks from cybersecurity threats. We engage third-party organizations to assess the controls around sensitive data, including but not limited to financial, employee, customer, and vendor data as well as data affecting our process controls and data used to operate our manufacturing facilities. As part of our cybersecurity risk management program, we conduct information security and data protection training for employees, including training on
23
matters such as phishing, social engineering, cybersecurity awareness, and email security best practices. In addition, we work with third-party providers to undertake penetration testing and maturity assessments of the Company’s information security program based on the National Institute of Standards and Technology cybersecurity framework. With respect to third-party service providers, we perform information security assessments and due diligence reviews prior to entering into a contractual agreement. Further, after engagement, we periodically perform information security assessments of certain third-party service providers that we consider critical to our operations. In addition, recently, we have been including provisions in our supplier contracts that require the suppliers to maintain an effective information security management program and to notify us in the event of a known or suspected cyber incident. We have added these requirements in new or amended contracts going forward. We also consult with external advisors and specialists, as necessary, regarding opportunities and enhancements to strengthen our cybersecurity practices and policies and implement enhancements to our cybersecurity capabilities based on evolving threats.
While we have experienced threats to our data and systems, to date, we are not aware that we have experienced a cybersecurity incident that had, or is reasonably likely to have, a material impact on our business or operations; however, because of the frequently changing attack techniques, along with the increased volume and sophistication of the attacks, there is the potential for the Company to be adversely impacted. This impact could result in reputational, competitive, operational, or other business harm as well as financial costs and regulatory action. See “Item 1A. Risk Factors–Technology Risks” of this Form 10-K for additional discussion of cybersecurity risks and potential related impacts on the Company.
Corporate Governance
Our Board has ultimate oversight of cybersecurity risk, which it manages as part of our ERM program. This program is utilized in making decisions with respect to company priorities, resource allocations, and oversight structures. The Board is assisted by the Audit Committee, which regularly reviews our cybersecurity program with management and reports to the Board on its activities on a quarterly basis or more frequently as warranted.
Our cybersecurity program is managed by our Chief Information Security Officer (“CISO”), who reports to our Chief Information and Digital Officer (“CIDO”). Our CISO is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from professionals in the Company’s information security team, many of whom hold cybersecurity certifications such as a Certified Information Systems Security Professional or Certified Information Security Manager, and through the use of technological tools and software and results from third-party audits. Our CISO has extensive experience assessing and managing cybersecurity programs and cybersecurity risk. Our CISO has served in this position since June 2022 and has over 20 years of experience in information security. His background includes technical experience, strategy and architecture focused roles, cyber and threat experience, and various leadership roles in all areas of information technology. Our CIDO joined the Company in July 2023 with over 25 years of experience leading digital and information technology teams, including leading all aspects of her prior company’s global enterprise digital roadmap, including finance, supply chain, and commercial solutions as well as data and analytics, including automation and artificial intelligence.
Our CISO and CIDO regularly update the Audit Committee on the Company's cybersecurity programs, policies, and practices as warranted, including review of the state of the Company's cybersecurity programs and risks, emerging cybersecurity developments, threats and vulnerability, and the Company's strategy and key cybersecurity initiatives designed to improve the Company’s risk posture. In addition, we have an escalation process in place to inform senior management and the Board of material cyber-related issues. The Audit Committee also reviews with our CIDO, on an annual basis, our global information technology structure and strategic efforts to protect, optimize, and support the growth of the Company. The Chair of the Audit Committee reports to the full Board on its activities.
24