COLGATE PALMOLIVE CO 10-K Cybersecurity GRC - 2024-02-15

Page last updated on April 11, 2024

COLGATE PALMOLIVE CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-15 16:03:27 EST.

Filings

10-K filed on 2024-02-15

COLGATE PALMOLIVE CO filed an 10-K at 2024-02-15 16:03:27 EST
Accession Number: 0000021665-24-000003

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Management s Role in Assessing and Managing Cybersecurity Risk; Processes for assessing, identifying and managing material risks from cybersecurity threats We have a systematic and thorough risk management process, which is designed to identify, assess, prioritize and mitigate the risks that could negatively impact achievement of our strategic and operating objectives. A key component of this process is our Enterprise Risk Management ( ERM ) Committee, which is led by our Chairman, President and Chief Executive Officer, and includes our Chief Financial Officer, Chief Legal Officer, Chief Information Officer and other members of senior management. The ERM Committee monitors both current and emerging risks facing the Company and meets at least quarterly to review the prioritization of identified risks. The ERM Committee has identified cybersecurity as a critical risk facing the Company. Each of the most critical risks identified is assigned to a member of senior management who oversees the management, mitigation and presentation of the risk to the senior leadership team and throughout the year to our Board of Directors. The risks relating to information technology, including cybersecurity, are overseen by our Chief Information Officer. Our Chief Information Officer then assigns the risks within the Information Technology risk category to others on his team. The cybersecurity risk is managed and overseen by our Chief Information Security Officer ( CISO ), who reports to our Chief Information Officer. Cybersecurity as a risk is presented to the full ERM Committee annually or more frequently as needed. We have a dedicated information security organization, led by our CISO and overseen by our Chief Information Officer, which is responsible for assessing and managing material risks from cybersecurity threats. Our Chief Information Officer reports to our Group President, Growth and Strategy, a member of our senior leadership team who reports to our Chairman of the Board, President and Chief Executive Officer. Our CISO has over 25 years of information technology experience, including leading data analytics, customer relationship management, architecture and application development teams. He has been leading our global information security program for almost five years. He is a Certified Information Systems Professional, a member of Google Cloud CISO Customer Advisory Board and New Jersey Infragard and completed the FBI CISO Academy. He joined the Company over 25 years ago and has extensive knowledge regarding our business processes and the associated information technology platforms utilized worldwide, enabling him to guide his organization to protect the Company s systems and information. Our Chief Information Officer joined the Company over 25 years ago and has expertise across a wide array of information technology and systems, with experience leading a large array of different functions within the global information technology organization. He has led our information technology Operational Performance and Reliability Committee for the last eight years, which reviews and provides continuous improvement processes and technology across infrastructure, information security, architecture, application and end user performance. He has application development leadership experience across all functions, including the policies and controls that govern both application development and implementation of packaged software. The Company s information security organization seeks to employ cybersecurity best practices, including implementing new technologies to proactively identify and monitor new vulnerabilities and reduce risk, conducting due diligence of third-party vendors information security programs, maintaining security policies and standards and regularly updating and testing our response planning and protocols. The information security organization also works in partnership with our Internal Audit function to identify cybersecurity risks and review cybersecurity-related internal controls with third parties as part of the overall internal controls process. The information security organization also gains valuable information to improve our threat and risk awareness capabilities as a member of an industry information sharing and analysis organization, which provides strategic and tactical information sharing channels. Additionally, employees are provided mandatory cybersecurity awareness training on an annual basis, which includes information about how to identify and report cybersecurity concerns and incidents. The information security organization also conducts phishing simulations and testing scenarios through tabletop exercises and assessment activities, to help ensure compliance with our cyber policies and procedures. We maintain a cybersecurity insurance policy and have retained relevant incident response services. Additionally, we maintain an offensive security team that works both independently and with third party cybersecurity professionals to conduct security assessments of our 21 enterprise-wide cybersecurity practices, including penetration testing, and identify areas for continuous improvement within the information security program. We maintain a Data Security Incident Response Plan (the Plan ), which outlines the processes and procedures that we should follow to respond to, remediate and resolve a security incident involving a potential or actual compromise of our proprietary information and/or personal information. It also describes the structure, roles and responsibilities of personnel involved in responding to such incidents and provides a process for alerting senior management of such incidents. The Plan is reviewed on an annual basis and revised as necessary. Our dedicated information security organization leverages various frameworks for managing cybersecurity risks, including the National Institute of Standards and Technology ( NIST ) framework. The key pillars of the NIST framework are to (i) develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data and capabilities; (ii) develop and implement appropriate safeguards to ensure delivery of critical services; (iii) develop and implement appropriate activities to identify the occurrence of a cybersecurity event; (iv) develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident; and (v) develop appropriate activities to action an incident. We have a comprehensive third party cybersecurity risk review process, which prioritizes, monitors and assesses the risks associated with our third party service provider interactions. The third party service provider assessment framework follows industry standard practices and allows us to properly understand the risk associated with the services provided which are key to our company s daily operations. For additional information regarding risks faced by the Company from cybersecurity threats, see Item 1A, Risk Factors - A cybersecurity incident, data breach or a failure of key technology systems could adversely impact our business. Board s Oversight of Cybersecurity Risks Our Board of Directors is focused on cybersecurity. Specific responsibility for cybersecurity oversight is delegated to the Audit Committee. The Board oversees our risk management process to ensure it is properly designed, well-functioning and consistent with our overall corporate strategy. Our Audit Committee oversees the ERM process and the implementation of appropriate risk monitoring and management systems, though all Board members attend Audit Committee meetings and participate in risk management discussions. The Audit Committee also oversees risks associated with cybersecurity, financial reporting and legal matters (including data privacy, competition law, litigation and ethics and compliance). Our Board of Directors has adopted a written statement, known as the Independent Board Candidate Qualifications and made available on our website, outlining the qualities sought in our directors. This statement, which is refreshed periodically and was most recently updated in January 2023, is used by the Nominating, Governance and Corporate Responsibility Committee ( NGCR Committee ) in evaluating individual director candidates. The NGCR Committee has identified experience with overseeing and managing risk management processes, including with respect to cybersecurity, as being important to creating an effective, well-rounded and diverse Board. Directors with experience overseeing and managing risk management processes play a critical role in the Board s oversight of our enterprise risk management process. Our CISO provides a report to the Audit Committee on cybersecurity quarterly, or more frequently if circumstances warrant, including relevant cybersecurity incidents impacting the Company and on topics related to information security, data privacy and cyber risks and mitigation strategies. In addition, outside experts periodically present to the Board on cybersecurity. 22

Company Information