DARLING INGREDIENTS INC. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

DARLING INGREDIENTS INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 15:18:14 EST.

Filings

10-K filed on 2024-02-28

DARLING INGREDIENTS INC. filed an 10-K at 2024-02-28 15:18:14 EST
Accession Number: 0000916540-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company takes an active, multi-faceted approach to cybersecurity, including adversarial engagement, under an assume breach philosophy premised on the continuous and ever-evolving nature of cyber threats and threat actors. The Company utilizes a cross-functional working group comprised of a Cybersecurity Department, which is responsible for overseeing cybersecurity for the Company s information systems; and plant operational technology (OT) personnel who are responsible for the security of plant OT. This group works in a cross-functional context due to the interconnectivity of these systems, as well as to collaborate about cybersecurity matters. The Company s Cybersecurity Department is headed by the Director of Global Cybersecurity, who reports to the Company s Chief Information Officer, and includes personnel located around the world who have cybersecurity training and skills in engineering, architecture, surveillance, analytics and administration. The Cybersecurity Department is responsible for setting the Company s cybersecurity policies, standards and benchmarks for its information systems, penetration testing and overseeing repairs of technical elements that fail testing. The Cybersecurity Department also conducts threat hunting within the Company s information systems and responds to threats. The Cybersecurity Department also engages certain third-party specialists to periodically review the Company s information systems and cybersecurity defenses, as well as to provide education about current and emerging threats, techniques and countermeasures. The Cybersecurity Department has also conducted cyber-attack simulation exercises with Company executive management and other leadership personnel for cyber-attack readiness. The Company s Director of Global Cybersecurity and Chief Information Officer also collaborate with our joint venture partner concerning cybersecurity matters for the DGD Joint Venture. The Cybersecurity Department uses a system based on the critical security controls set forth by the Center for Internet Security, Inc. (CIS) as a benchmark and framework for its cybersecurity defenses, and has implemented cybersecurity policies and controls designed using the CIS controls framework. The Cybersecurity Department regularly implements updates and changes to its cybersecurity program to remain current and adapt to emerging cybersecurity risks; audits the cybersecurity program typically every three years; conducts targeted vulnerability testing; and assigns pertinent Company personnel as owners for governance and compliance. The Cybersecurity Department also provides cybersecurity training to Company employees. The Company s Chief Financial Officer oversees a corporate risk analysis that organizes the Company s enterprise risks, including cybersecurity, into categories to assess the potential likelihood and impact of each, and to periodically review and update with the board of directors. The Company also has an internal Cybersecurity Committee comprised of leadership across multiple internal functions that meets regularly to review, with the Director of Global Cybersecurity and the Chief Information Officer, active and thwarted cybersecurity incidents, systemic threats, attack trends and techniques, counter and preventative measures and defenses being implemented to enhance security. The meetings are also conducted for: ongoing awareness among Company leadership about cybersecurity threats and incidents; discussion of strategies for continuous improvement and associated capital needs; and review of oversight, governance and reporting of cybersecurity matters. The Cybersecurity Department outsources several cybersecurity defense measures to utilize the know-how and tools, including artificial intelligence, of industry leading companies. The Cybersecurity Department also proactively consults with specialists in a variety of cybersecurity disciplines to review the Company s information systems for cyber risks and to provide advice for remediating areas of concern, as well as for implementing preventative measures to improve the Company s defenses. Page 45 The Company implements cybersecurity policies and controls within acquired entities as part of its integration process over time, typically in a phased approach, and with time periods for full execution varying depending on multiple factors, including the size and geographic scope of the acquired entity s operations; the status of the acquired entity s security including security systems, tools and personnel; security risks within the acquired entity; and the availability and quality of any interim defenses which can be implemented to protect both the Company and the acquired entity or to prevent threats at the acquired entity from reaching the Company s systems. Cybersecurity is also part of the Company s acquisition due diligence to identify risks and interim remedial measures for prioritization and implementation near transaction closing, subject to antitrust rules. In addition to the Company s active monitoring of certain critical third-parties for cybersecurity threats and attacks, the Company also has certain critical third-parties who access its information systems subject to controls designed to mitigate risks from cyber-attacks originating within infected third-party information systems. Moreover, the Company conducts diligence of certain of its third-party service providers with attention to cybersecurity risks. As of the date of this report, we have not identified any risks from cybersecurity threats, including those from any previous cybersecurity incidents, that have materially affected us, our business strategy, results of operation or financial condition. However, there can be no assurances that a cybersecurity threat or incident that could have a material impact on us has not occurred or will not occur in the future. For additional information on risks from cybersecurity threats, please see Item 1A Risk Factors. Governance The Director of Global Cybersecurity and the Chief Information Officer, in coordination with the Cybersecurity Department and other appropriate personnel, are responsible for assessing and managing the Company s material risks from cybersecurity threats. Our Director of Global Cybersecurity has served in various roles in information technology and information security for over 25 years, has been in the current role with the Company for more than 10 years, and has been trained and accredited in multiple cybersecurity subjects including training with governmental agencies. Our Chief Information Officer has served in various roles in information technology and information security for over 25 years, has been in the current role with the Company for more than 10 years, and holds a Master of Business Administration degree with a concentration in information systems management. The Company regularly confronts cyber risks, threats and incidents, any one of which could have a material impact on the Company, including its business strategy, results of operations or its financial condition. If the Company experiences a cybersecurity incident requiring a response, it has a Computer Incident Response Plan, which defines response protocols, resource allocations and personnel engagement depending on severity level. Executive leadership, including the CEO, would be engaged in the event of an incident at certain severity levels and the CEO would engage members of the Company s board of directors as appropriate. The Cybersecurity Department would also utilize third-party experts and consultants it has on retainer, depending on the nature of the incident. The Company s board of directors actively engages with senior management to understand and oversee the Company s various risks, including cybersecurity, and members of senior management regularly attend board meetings to provide periodic briefings or presentations on such risk matters. The Company provides presentations to its board of directors about cybersecurity matters, including review of cyber threats, incidents, trends and risks facing the Company; the Company s defenses against cyber-attacks including personnel, software, hardware and third-party tools and expertise; and the Company s governance, including policies, standards, benchmarks and auditing and testing, as well as remedial, preventative and proactive measures to repair or enhance the Company s cybersecurity defenses. Board engagement in these matters includes dialogue and questions, board member insights and perspectives from their industry experience and subject matter expertise and strategic suggestions and considerations for Company management to evaluate, all as part of the board s oversight of Company cybersecurity risks. The Company s Chief Information Officer and Director of Global Cybersecurity have also had discussions about various cybersecurity topics with a board member in response to requests.

Company Information