CAL-MAINE FOODS INC - (CALM)
10-K Filing Date: July 23, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We understand the importance of cybersecurity and its role in the success of our Company. Our business operations depend on
the effective use of our information systems in order to properly serve our customers, manage our business and track and report
our financial results. Our technology operations consider risks from cybersecurity threats in the implementation and execution of
our business processes. We have considered and assessed the risks from cybersecurity threats as part of our overall risk assessment
process using the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework.
In order to identify, assess and manage material risks arising from cybersecurity threats, we maintain internal resources to monitor
and quickly respond to such threats. We perform vulnerability scans and penetration testing designed to test the effectiveness of
our security practices. We engage third-party service providers to assist in the evaluation of our internal controls over our
information systems through audit and consulting services to test the design and operational effectiveness of security controls.
We continually monitor our systems to detect and identify cybersecurity threats. Prior to contracting with third-party vendors, we
perform risk assessments of the vendors and require the vendors to manage cybersecurity risks to our business operations as well
as notify us of any potential or known cybersecurity risks. We also require our employees to complete training programs to
increase their awareness of and sensitivity to cybersecurity threats. These training programs include the identification of such
threats and the proper responses to a potential breach of cybersecurity that aligns with our adopted processes.
The Company has implemented a response process in the event of a cybersecurity incident through its crisis management plan.
The process includes the cooperation of the information technology team and our management team to properly detect and
respond to these incidents. These responses include determination of the potential impact and materiality of the incident, potential
disclosure and litigation matters, and mitigation of actual or potential damage to our systems or reputation arising from the
incident. An action plan is implemented to respond to any potential cybersecurity breach in order to continue to effectively serve
our customers and conduct our operations with as little interruption as practicable. The information technology team reviews the
response process on a regular basis to ensure that it is designed to be effective and to encompass current or new cybersecurity
threats.
As of July 23, 2024, we are not aware of any risks from cybersecurity threats, including as a result of prior cybersecurity incidents,
that have materially affected or that we believe are reasonably likely to materially affect the Company, including our business
strategy, results of operations or financial condition. See “Item 1A. Risk Factors” for further discussion about risks from
cybersecurity threats.
Governance
The Board is responsible for the oversight of management’s process for identifying and mitigating risks related to cybersecurity
threats. On a quarterly basis, the Director of Information Technology provides a report to the Audit Committee regarding ongoing
processes to improve and update our current cybersecurity protocols, new cybersecurity threats, results of internal assessments,
and any recent cybersecurity incidents. The Audit Committee will make the Board aware of any information it deems necessary
or appropriate in order for the Board to effectively oversee the Company’s cybersecurity risk management and strategy.
The Director of Information Technology and the team he manages are responsible for the operation and maintenance of our
information systems, including the assessment, identification and management of risks from cybersecurity threats. Together, the
Director of Information Technology and his team have over 150 years of experience in the information technology and security
environment. Our Chief Financial Officer, to whom the Director of Information Technology reports, has served as Chief Financial
Officer and a Board member since 2018 and has over 40 years of risk management experience.
22