CLOROX CO /DE/ - (CLX)
10-K Filing Date: August 08, 2024
ITEM 1.C. CYBERSECURITY
Risk Management and Strategy
The Company maintains a comprehensive program and processes designed to assess, identify, evaluate and manage vulnerabilities to the Company’s business and operations, and other material risks from cybersecurity threats, as part of its overall Enterprise Risk Management (ERM) and cybersecurity risk management program and processes.
The Company’s cybersecurity risk management program includes the following features.
•Leverages the National Institute of Standards and Technology (NIST) and Zero Trust Architecture frameworks for managing cybersecurity risks;
•Maintenance of security policies and standards, regular updates to response planning and protocols, and implementation of new technology to monitor new vulnerabilities, emerging threats and risks;
•A cybersecurity incident response plan designed to facilitate cross-functional coordination across the Company (including escalation based on the severity of the impact of an incident), mitigate brand and reputational damage, and comply with applicable legal obligations, which includes guidance to support the Company’s assessment of whether an incident is considered “material” for purposes of U.S. securities laws;
•Executive and IT team tabletop exercises;
21
•A cybersecurity insurance program to reimburse covered costs, losses and claims relating to a data or security breach;
•Use of consultants, third-party service providers and information security firms to provide technology systems or administer aspects of this program, conduct assessments of the Company's cybersecurity practices and penetration testing, and cybersecurity, risk management and legal experts;
•A third-party risk assessment process that utilizes a risk-based approach for vendors engaged through the Company’s procurement process; and
•Regular phishing and cybersecurity awareness and engagement training for all employees who have access to Company email and connected devices.
The Company’s business strategy, results of operations and financial condition have been materially affected by our previously disclosed August 2023 cyberattack. See “Risk Factors” in Item 1A of this Annual Report on Form 10-K for more information on risks from cybersecurity threats that are reasonably likely to materially affect the Company’s business strategy, results of operations and financial condition.
The August 2023 cyberattack resulted in wide-scale disruptions to the Company’s business operations. Impacts of these system disruptions included order processing delays and significant product outages, resulting in a negative impact on net sales and earnings. The costs incurred included third-party consulting services, such as IT recovery and forensic experts, and other professional services to investigate and remediate the attack, as well as incremental operating costs from the resulting disruption to the Company’s business operations. These costs have been partially offset by recognized insurance recoveries in fiscal year 2024. See Notes to the Consolidated Financial Statements for additional details regarding the impact of the August 2023 cyberattack.
Governance
Management
The Chief Information Security and Infrastructure Officer (CISIO) is responsible for the Company’s cybersecurity risk management program. The CISIO oversees the Company’s technology risk management team. This team works in partnership with the legal, financial reporting controls and internal audit functions to review information technology-related internal controls with the Company’s independent auditors as part of the overall internal controls process.
The CISIO has information technology and information security experience, including enterprise risk management leadership, and holds a Certified Information Security Manager certification from the Information Systems Audit and Control Association (ISACA). The CISIO reports to the Chief Information and Data Officer (CIDO), who is a member of the Clorox Executive Committee and reports directly to the CEO. The CIDO has experience overseeing and executing technology strategies and implementations in complex, global organizations. The CIDO has been in this role for the Company since June 2020 and has experience leading technology strategy in the consumer packaged goods, manufacturing and retail industries.
The Company has established the Clorox Information Security Executive Committee (CISEC) which oversees the information security strategy, policies and practices of the Company. The CISEC supports the Company’s objective of maintaining a strong security culture by overseeing alignment between the Company’s security objectives and business goals, risk exposure, and compliance requirements. The CISEC is chaired by the CISIO and includes in its membership the CIDO and Chief Legal Officer, who are both members of the Clorox Executive Committee, as well as the Chief Accounting Officer and Controller and VP, Internal Audit. The CISIO also provides periodic reports to the Clorox Executive Committee and quarterly reports to the Audit Committee. These reports may include updates on critical information security and cybersecurity risks and the threat landscape; cybersecurity improvement initiatives, the internal control environment, and ongoing internal audit activities; and, if relevant, the status of actions taken with respect to significant cybersecurity incidents.
Board of Directors
The Board, through the Audit Committee, is responsible for the oversight of the Company’s compliance with legal and regulatory requirements relating to data privacy, cybersecurity and IT risks and its framework and guidelines with respect to risk assessment and risk management. The Audit Committee receives quarterly updates from the CISIO on the topics set forth above, in addition to the Chief Legal Officer and CIDO.
The Board retains responsibility for the overall process for assessing and managing major risks facing the Company and receives updates regarding information security and cybersecurity risks as part of its oversight of ERM. The CIDO and Chief Legal Officer provide quarterly updates to the Board on topics that may include information security and cybersecurity matters. The Board may also be notified and engaged as part of the Company's cybersecurity incident response plans, depending on the
22
severity of the impact of an incident. The Board and Audit Committee include directors with knowledge, skills and experience in data security, privacy, IT governance, and management of cyber risks.