NEWELL BRANDS INC. 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

NEWELL BRANDS INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 18:02:20 EST.

Filings

10-K filed on 2024-02-20

NEWELL BRANDS INC. filed an 10-K at 2024-02-20 18:02:20 EST
Accession Number: 0000814453-24-000017

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard its information systems and to protect the confidentiality, integrity, and availability of its data. Cybersecurity risks are monitored, updated on a regular basis, and integrated as part of the Company s broader enterprise risk management process. The reporting and analysis of cybersecurity risks have also been incorporated within the Company s disclosure controls and procedures and internal disclosure committee process. The Company conducts multiple forms of cybersecurity awareness and training for employees including general cybersecurity awareness articles, role-based training, online cybersecurity awareness tools, and frequent monthly awareness presentations. The Company uses a combination of internal and external resources to assess, identify, and manage material risks from cybersecurity threats. Internally, the Company leverages its global information security organization, the Information Technology function, privacy and compliance departments, operating segments, functional areas, and its internal audit function. Given the complexity and evolving nature of cybersecurity threats, the Company also utilizes the following external resources: two industry research and technology firms for benchmarking and industry research; several cybersecurity operations partners for risk detection and threat information sharing; cybersecurity penetration testing companies to provide regular technical assessments of our systems; an information sharing and analysis service specific to the consumer goods industry; and the assistance of its outside cybersecurity counsel. The Company oversees its third-party service providers security posture by using an internally managed vendor security assessment process prior to vendor onboarding, with ongoing monitoring for any emerging risks. The Company supplements its internal processes with third-party security partners that provide risk measurements for third parties. While the Company has not encountered cybersecurity risks that have materially affected or are reasonably likely to materially affect its strategy, results of operations or financial condition, there can be no guarantee that the Company will not be materially affected by such cybersecurity risks or a cybersecurity incident in the future. For a discussion of cybersecurity risks and incidents that may impact the Company, refer to preceding section Item 1A. Risk Factors. Governance The Company s Board of Directors provides oversight of risks from cybersecurity threats through its Audit Committee. The Company s Chief Information Security Officer provides regular quarterly updates on material cybersecurity risks, performance and material risk related metrics, and material risk mitigation strategies. These reviews help to inform the Audit Committee, identify areas for improvement and help align the Company s cybersecurity risk management efforts with overall enterprise risk management. The Audit Committee incorporates this information into its regular reporting to the Board of Directors. The Company s management plays a critical role in assessing and managing cybersecurity risks. The Newell Brands Information Security program is led by the Company s Chief Information Security Officer, a Certified Information Systems Security Professional (CISSP) with over 20 years of experience in cybersecurity gained at four global Fortune 500 companies, and the Company s Chief Information Officer who has overseen the Company s security function for the past 11 years. The Newell Brands Information Security program is governed by the Information Security Governance Committee (the ISG Committee ), comprised of the Chief Information Security Officer (its Chair), Chief Financial Officer, Chief Legal and Administrative Officer, Chief Human Resources Officer, Chief Information Officer, and Vice President of Internal Audit. The ISG Committee meets quarterly to discuss material risks, material risk related metrics, and material risk mitigating strategies and conducts tabletop exercises. In addition to the ISG Committee, Company management is informed about and monitors material cybersecurity risks and incidents through the following formal processes: Newell Brands Incident Response Policy and Procedures and related response and governance protocols for high severity incidents; Periodic Information Security program presentations to leadership; and Chief Information Security Officer material incident notifications to Company management, including the President and Chief Executive Officer. The outputs from the management processes above are synthesized into the above-mentioned reporting to the Audit Committee of the Board of Directors. 20

Company Information