SONOCO PRODUCTS CO 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

SONOCO PRODUCTS CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 14:20:41 EST.

Filings

10-K filed on 2024-02-28

SONOCO PRODUCTS CO filed an 10-K at 2024-02-28 14:20:41 EST
Accession Number: 0000091767-24-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy. The Company s approach to risk management is designed to identify, assess, prioritize, and manage significant risk exposures that could affect the Company s ability to execute its corporate strategy and fulfill its business objectives. The Company manages enterprise risk through its Risk Management Committee ( RMC ) chaired by the Company s Vice President of Compliance, Risk and Audit with direct oversight from the Company s General Counsel. The RMC, which is made up of senior leadership across a variety of business functions, defines the Company s enterprise risk framework based upon analysis of industry and peer benchmarking as well as company-specific data analysis. As a component of the Company s enterprise risk management program, the Company s cybersecurity risk management program outlines the Company s cybersecurity risk management practices and capabilities, including the division of responsibilities for reviewing the Company s cybersecurity risk exposure and risk tolerance, tracking emerging information risks, and ensuring proper escalation of certain key risks for periodic review by the Board and its committees. Cybersecurity risk is evaluated within the population of all enterprise risks in the framework and is included in assessments overseen by the RMC that identify the risks of highest priority to the Company. For these highest priority risks, including cybersecurity risks, the RMC designates risk owners, sets common reporting processes and monitors risk mitigation and treatment strategies to support business continuity. The Company s cybersecurity risk management program leverages the National Institute of Standards and Technology Cybersecurity Framework for identifying, assessing, and managing material risks from cybersecurity threats. This approach combines prevention and detection techniques, informed by internal and external sources, to identify and analyze potential threat activities. When a threat is identified, a cyber incident response plan outlines the Company s procedures for containing, remediating, and recovering from the cybersecurity incident. Cybersecurity tenets are also incorporated into the Company s technology policies. The Company s cybersecurity risk management program focuses on vulnerability management, access management, and user awareness training. Among other things, the Company implements scheduled patching and system updates, proactively scans for vulnerabilities, and engages qualified third-party experts to assess the Company s information technology infrastructure and identify vulnerabilities and opportunities for continued focus and improvement. When vulnerabilities are identified, the Company s information technology ( IT ) management team receives reports that assess each vulnerability and track progress in remediating that vulnerability. The IT management team also collaborates with supply chain management and the Company s third party risk management program to onboard and monitor key third-party service providers to address the potential risk of cybersecurity threats through the use of such third parties. Annual cybersecurity training is mandatory for all users with access to the Company s IT systems, and the Company conducts monthly tests to promote phishing awareness. In addition to these prevention methods, the Company seeks to detect potential threats through external intelligence and monitoring solutions. External commercial or governmental agencies are also engaged to assess potential threat activity relevant to the Company. The Company also monitors server and endpoint devices across the organization to detect signs of a cyberattack. The Company has implemented and maintains an information security incident response plan ( IR Plan ), which includes processes to assess, escalate, contain, investigate, and remediate cybersecurity incidents. Upon notification of a potential cybersecurity threat, management defines the threat based on its nature as an information security event, alert, incident, or breach, and all cybersecurity incidents are categorized by level of severity based on the impact of the incident to the Company s operations. A technical incident response team is responsible for technical response activities, including information gathering and forensic analysis, containment, and remediation efforts. The Company s Crisis Management Team drives the Company s enterprise-level crisis response process, leads decisions around response strategies, coordinates resources required to execute such strategies, and oversees all cybersecurity incidents categorized as Critical and High. Although the Company did not experience a material cybersecurity incident during the year ended December 31, 2023, the scope and impact of any future incident cannot be predicted. See Item 1A. Risk Factors Risks Related to Information Technology and Cybersecurity for more information on the Company s cybersecurity-related risks. Governance. The Company s day-to-day management of cybersecurity risks is led by the Chief Information Security Officer ( CISO ) with direct oversight from the Chief Information Officer ( CIO ). The Company s IR Plan includes a defined escalation matrix for critical or high severity information security events involving notifications to the CISO and CIO, who further escalate critical or high severity events to the Company s Crisis Management Team, which consists of senior management from IT, including the CIO and CISO, Human Resources, Risk and Internal Audit, Marketing and Communications, Legal and Finance. The Crisis Management Team further elevates sufficiently critical and high severity events to the Company s Cyber Incident Review Committee ( CIRC ), which consists of the CIO, Chief Financial Officer, Chief Accounting Officer, VP of Investor Relations, VP of Compliance, Risk and Audit, and General Counsel, or their delegates. Additional senior management from relevant business units are added to the CIRC as needed based on the nature of identified cybersecurity incidents. The CIRC preliminarily evaluates whether an incident is material and provides a proposal to the CEO and CFO, who work in consultation with the committee to make a final determination of materiality. Such determination is communicated to the Audit Committee of the Board. The Company s Crisis Management Team has relevant expertise and experience to assess and remediate cyber threats. The CIO has over 17 years of experience in information technology and security, and the CISO has 31 years of information technology experience and 11 years of information security experience. 20 FORM 10-K SONOCO 2023 ANNUAL REPORT As part of its broader oversight activities, the Board oversees risks from information security threats and other risks identified by the RMC, both directly and by way of delegation to the Audit Committee. As reflected in its charter, the Audit Committee oversees and specifically discusses the guidelines and policies by which the Company assesses and manages its cybersecurity risk exposures, as well as the steps management has taken to monitor and control such exposures. The Audit Committee also oversees the Company s internal control over financial reporting, including with respect to financial reporting-related information systems. In addition to any communications of specifically identified cybersecurity events, the Audit Committee receives and discusses quarterly updates on cybersecurity activities, including review of annual external assessment results, training compliance and discussion of cybersecurity risks and resolutions, and is responsible for elevating significant matters to the full Board as events arise. The Board receives an annual update and provides feedback on the Company s cybersecurity governance processes, risk management plan, and any significant activities related thereto, and also reviews risk management practices in the course of its review of the Company s corporate strategy, business plans, Board committee reports, and other presentations. In addition to the ordinary-course Board and Audit Committee reporting and oversight described above, the Company also maintains disclosure controls and procedures designed for prompt reporting to the Board and timely public disclosure, as appropriate, of material events covered by our risk management framework, including information security risks.

Company Information