Bunge Global SA 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Bunge Global SA reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:24:17 EST.

Filings

10-K filed on 2024-02-22

Bunge Global SA filed an 10-K at 2024-02-22 16:24:17 EST
Accession Number: 0001996862-24-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Securing Bunge s business information, customer, supplier, and employee data and information technology systems is an important part of our overall risk management framework. We rely on certain key information technology systems, some of which are dependent on services provided by third parties, to provide critical data and services for internal and external users, including procurement and inventory management, transaction processing, financial, commercial and operational data, human resources management, legal and tax compliance, and other information and processes necessary to operate and manage our business. Our cybersecurity risk management program monitors our systems and networks for threats, breaches, intrusions and other weaknesses; assesses the security of our company-wide software, applications and systems; conducts security audits and threat assessments; responds to cybersecurity incidents; and facilitates training for our employees. Within our cybersecurity team, subject matter experts regularly obtain cybersecurity certifications. Our program includes procedures to identify cybersecurity risks and threats of our third-party service providers. These procedures measure the maturity of third-party provider cybersecurity programs against industry best practices. The collection of this information is used to assess the use of third-party software or partnerships. We also review the cybersecurity scores of our business customers and suppliers, and we rely on consultants and other third-party advisors to conduct security assessments and independent audits of the security and resilience of our systems and networks. Our cybersecurity risk management program includes response plans that are aligned with our crisis response plans and outline the procedures and protocols to follow when a cybersecurity incident has or may have occurred, including to allow assessments related to disclosure and notice requirements to be timely made to regulators and affected parties. The response plan includes protocols to notify our Chief Technology Officer (“CTO”), our Chief Legal Officer, other members of senior management as appropriate, and, under certain circumstances, the Audit Committee of our Board, or our full Board as appropriate. We have integrated cybersecurity risk assessments into Bunge s overall enterprise risk management framework to promote a company-wide culture of cybersecurity risk management. Our CRO formulates periodic reports and provides them to our Management Risk Committee (“MRC”). As noted in “Item 1. Business - Risk Management”, the MRC reviews key enterprise risks on an ongoing basis and is responsible for reviewing and monitoring key exposures, emerging risks, and drivers of risk. Increased global cybersecurity vulnerabilities, threats, and more sophisticated and targeted cybersecurity attacks, including those tied to global conflicts, pose a potentially significant risk to the security of our information technology systems, networks and services, as well as the confidentiality, availability and integrity of our data and the confidential data of our employees, customers, suppliers, and other third parties that we may hold. Although, to date, we have not experienced a material cybersecurity incident resulting in a significant interruption of our operations, the scope of any future incident cannot be predicted with any meaningful accuracy. See Item 1A. Risk Factors for more information. 32 Table of Contents Governance Our CTO leads our Business Technology organization and our cybersecurity risk management program in coordination with our CRO. The Business Technology team is responsible for assessing, identifying, and managing risks from cybersecurity threats. Our CTO and CRO regularly receive briefings on cybersecurity matters, and in turn our CTO regularly reports to the Audit Committee on such matters. Our CRO regularly reports on enterprise risks facing the Company to the ERMC. Our CTO has more than 20 years of experience in leading, managing, and transforming information technology systems for large, global organizations, and our CRO has several years of experience in leading and managing risk oversight for global organizations. Our Board oversees Bunge s approach to risk management. Our Board has established a dedicated Board committee, the Enterprise Risk Management Committee, which enables greater focus at the Board level on risk oversight tailored to our business and industries. Additionally, each of our other Board committees is responsible for considering risks within its area of responsibility. The Board has delegated oversight and review of risks related to cybersecurity and information technology systems to the Audit Committee. The Audit Committee is responsible for reviewing and assessing the overall cybersecurity risk management program and management s processes and policies with respect to cybersecurity risk monitoring, identification, assessment, and response. Senior management and the Audit Committee receive at least quarterly updates on Bunge’s cybersecurity readiness and the current “threat environment,” which includes an update on the cybersecurity threat landscape, the strategic priorities of the cybersecurity risk management program and progress made in respect of those priorities, a review of cybersecurity incidents, as well as additional updates on an as-needed basis. Our internal audit team also reports to the Audit Committee on the effectiveness of management in identifying and appropriately controlling risks, including cybersecurity risks. The Audit Committee regularly reports on its activities to the full Board to promote effective coordination and to ensure that the entire Board remains apprised of the effectiveness of the cybersecurity risk management and the cybersecurity risk landscape, and also assesses how management is managing these risks.

Company Information