FRESH DEL MONTE PRODUCE INC 10-K Cybersecurity GRC - 2024-02-26

Page last updated on April 11, 2024

FRESH DEL MONTE PRODUCE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 16:39:32 EST.

Filings

10-K filed on 2024-02-26

FRESH DEL MONTE PRODUCE INC filed an 10-K at 2024-02-26 16:39:32 EST
Accession Number: 0001047340-24-000017

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risk management and strategy Our Board recognizes the increasing significance that cybersecurity has on our operations and business and is responsible for overseeing our cybersecurity plan and risks to the Company from cybersecurity threat actors. From farm to table our operations rely on various information systems and technologies, including those provided by third party suppliers. These systems collect, process, transmit and retain information that may require both mandatory and voluntary data protection regimens. Our cybersecurity policies, standards, processes, and practices are designed to provide reasonable information security given the integrated nature of our organization, our third-party relationships, and the geographic regions we operate in. With this multi-layered approach, we aim to mitigate cybersecurity vulnerabilities across all aspects of our operations. Our approach to cybersecurity is grounded in the NIST Cybersecurity Framework v1.1, a nationally recognized and adaptable model that aligns with our goals, and addresses the following key areas: Cross-Functional Approach: We have implemented a cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of cybersecurity incidents so that decisions regarding the disclosure and reporting of such material incidents may be made by management in a timely manner. Identify, Protect and Detect: We have designed and implemented an industry standard security architecture, policies and procedures applying least privilege, and third-party monitoring of security controls of our core enterprise systems. 28 Table of Contents Response and Recovery: Working with our third-party security operations center, we maintain an incident response plan to timely, consistently and compliantly address any cyber event that may occur and have a designated Incident Response Team consisting of representatives from select business functions which is led by our Vice President of Information Technology (“CISO”). We regularly test our incident response plan, conduct compliance audits, periodic tabletop exercises, vulnerability assessments, and where necessary engage third parties to assist with these audits and assessments, as well as mitigation and remediation options and plans. Third-Party Risk Management : We rely on the representations and certifications of key partnerships with suppliers recognizing these third-party relationships introduce additional cybersecurity risks. To address these third-party risks, we have established strict criteria for supplier selection and conduct security risk assessments to mitigate potential impacts on our business. Education and Awareness : We provide regular, mandatory training for personnel regarding cybersecurity threats to educate and empower our workforce to be vigilant against threat actors and actively participate in cybersecurity efforts. Cybersecurity governance Board Oversight Our Board believes a strong cybersecurity strategy is vital to protect our business operations, sustain our control environment and honor our data protection obligations. The Board has delegated to its Governance Committee the responsibility for monitoring the effectiveness of the Company’s internal cybersecurity program and coordinates its finding with the company Audit Committee. The CISO and various members of the Incident Response Team report on cybersecurity threats, incidents, plans and responses to the Governance Committee and/or the entire Board on at least a quarterly basis, and more often as needed. Management Oversight Our COO, CISO, Chief Global Privacy Officer (“CPO”), our General Counsel (“GC”) and various members of the Incident Response Team play an important role in managing the Company’s cybersecurity-related risks and maintaining an ongoing dialogue with the Board, the Governance Committee and the Company’s Disclosure Committee. Potential cybersecurity incidents come to the attention of the Incident Response Team, which then responds to such incidents in accordance with our incident response plan. When appropriate, cybersecurity incidents are reported to the Company’s Management Disclosure Committee to review and assess the materiality of the cybersecurity incident. The members of the Disclosure Committee, which is responsible for addressing the Company’s public disclosures and internal controls, include the GC, CISO, CPO, our Chief Operating Officer, certain members of the Incident Response Team, and other members of senior management from legal, finance, risk management, internal audit and communications. While we have not experienced any cybersecurity incidents that have had, either individually or in the aggregate, a material adverse effect on our business, financial condition or results of operations, we did experience and incur costs related to a cybersecurity incident in 2023. Future incidents may interrupt our operations, cause reputational harm, subject us to increased operating costs or expose us to litigation. For additional discussion of the risks posed by cybersecurity threats, see Part I, Item 1A. Risk Factors Risks Related to our Information Systems of this Annual Report on Form 10-K. 29 Table of Contents

Company Information