B&G Foods, Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

B&G Foods, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:06:01 EST.

Filings

10-K filed on 2024-02-28

B&G Foods, Inc. filed an 10-K at 2024-02-28 16:06:01 EST
Accession Number: 0001558370-24-001996

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy. Our enterprise risk management framework considers cybersecurity risk alongside other company risks as part of our overall risk assessment process. As part of our enterprise risk management, we maintain a comprehensive information technology, data governance and cybersecurity program that leverages people, processes and technology, to support the effectiveness of our information technology systems and identify, prevent and mitigate information technology and data security risks. Our cybersecurity program is aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Our cybersecurity team utilizes a variety of tools, processes and outside resources to continue to raise and maintain its maturity across the elements of NIST CSF. Our cybersecurity program also addresses cybersecurity risks associated with our use of third-party service providers. We use systems and processes that are designed to assess, identify and reduce the potential impact of a cybersecurity incident at any of our third-party service providers. We assess information security controls of certain of our third-party service providers as part of our third-party information technology risk due diligence, and we conduct third-party vulnerability analysis. We have an information security policy, which is supported by a security awareness program. We also have an information security training and compliance program in place. Our information technology (IT) department has engaged a third party to provide regular cybersecurity awareness training to our employees. We also have business continuity plans and incident response plans in place to prepare us to act quickly in the event of cyber incidents. We test our business continuity plans and incident response procedures at least annually. - 30 - Table of Contents Cybersecurity Governance . Our chief information officer, who leads our IT department, oversees our cybersecurity program. Our chief information officer has twenty-eight years of IT experience. Our chief information officer reports to our chief financial officer. As part of our company s risk management function, our chief information officer provides periodic updates about our cybersecurity risk profile to our executive leadership team. We have an incident response program that provides for the prompt escalation of certain cybersecurity incidents to certain members of management, including our chief financial officer and our general counsel, so that decisions regarding disclosure and reporting of such incidents can be made in a timely manner. Our chief information officer meets at least annually with the risk committee of our board of directors and/or the full board of directors to provide them with updates on IT matters, including cybersecurity. At least two members of our Board of Directors have IT and cybersecurity experience or expertise, including the chairs of our audit committee and risk committee. While our board of directors is ultimately responsible for risk oversight at our company, the risk committee of our board of directors assists the board in fulfilling its oversight responsibilities by reviewing risks in certain areas, including cybersecurity. Cybersecurity Threats and Incidents . To date, there have not been any cybersecurity threats or incidents that have materially affected, or are reasonably likely to materially affect, our company, including our business strategy, results of operations or financial condition. However, we and third-parties with which we have shared personal information have been subject to attempts to breach the security of networks, IT infrastructure, and controls through cyberattack, malware, computer viruses, social engineering attacks, ransomware attacks, and other means of unauthorized access. For example, in February 2023, we experienced a cyberbreach resulting from a global ransomware attack that impacted thousands of network servers around the world and which encrypted certain of our network servers. In this case, our internal IT department together with third-party cybersecurity incidence response teams that we keep on retainer were able to unencrypt and restore most of the affected servers and restore others from backups within a few days and with minimal disruption to our manufacturing operations, sales, order processing, distribution and other business operations, and without paying any ransom. We incurred costs relating to the cyberattack, including costs to unencrypt and restore our servers, scan our network to ensure there was no remaining malware or other problematic remnants of the attack and to enhance our cybersecurity defenses. The February 2023 ransomware attack also resulted in the unauthorized release of sensitive personal information of certain of our current and former employees that has required remediation expenditures by our company, including, without limitation, expenditures to scan the leaked files to identify the specific individuals impacted and the scope of the sensitive personal information, and expenditures to notify and provide free credit monitoring to our employees and certain former employees and other individuals. Despite our ongoing efforts to continuously improve our ability to prevent and minimize the impact of future cyber incidents, we cannot assure you that we will not be the subject of future threats or incidents. While the February 2023 cyberattack and our remediation efforts have not had and are not expected to have a material adverse impact on our consolidated financial position, results of operations or liquidity, we cannot assure you that in response to a future cyberattack we will be able to restore our systems so quickly and with minimal disruption to our business operations and without incurring material costs. In addition, the mishandling or inappropriate disclosure of non public sensitive or protected information could also lead to the loss of intellectual property, negatively impact planned corporate transactions or damage our reputation and brand image. Misuse, leakage or falsification of legally protected information could also result in a violation of data privacy laws and regulations and have a negative impact on our reputation, business, financial condition and results of operations. Please refer to the risk factor captioned We are increasingly dependent on information technology; Disruptions, failures or security breaches of our information technology infrastructure could have a material adverse effect on our operations included in Part I, Item 1A, Risk Factors, of this report, for further information about cybersecurity risks and potential related impacts on our company. - 31 - Table of Contents

Company Information