Sovos Brands, Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Sovos Brands, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:33:50 EST.

Filings

10-K filed on 2024-02-28

Sovos Brands, Inc. filed an 10-K at 2024-02-28 16:33:50 EST
Accession Number: 0001558370-24-002020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Sovos Brands maintains a risk-based information security program designed to identify, assess, manage and mitigate material risks from current and future cybersecurity threats. We have structured our program to align with the Center for Internet Security (CIS) Critical Security Controls (an industry recognized framework), informed by our risk assessment processes, which is intended to allow the program to evolve in response to the changing threat environment and as we continue to mature as a company. Our program includes implementing and maintaining information technology systems that monitor and track threats and vulnerabilities, maintaining written policies and procedures, carrying cybersecurity insurance, identifying risks arising from key third-party providers that host our material data, and delivering employee training and awareness regarding their responsibilities in securing our data and systems. Recognizing the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity service providers and consultants, to augment and support our employees with defined information security responsibilities. Cybersecurity event and threat information is collected and monitored by third-party service providers and reviewed regularly by IT personnel and management. When an event is deemed a security incident, information technology and business management are informed in accordance with our Incident Response Plan ( IRP ). Our information security program and our IRP are managed by our Senior Vice President, Information Technology, who has over 15 years of experience and has held senior leadership roles at a Fortune 250 organization. Depending upon the nature and scope of an incident, our IRP contemplates engaging with other members of management and, potentially third-party experts, in a collaborative and cross - functional approach to enable timely assessment and escalation of incidents. Our Board has responsibility for the oversight of risk management and, throughout the year, discusses and receives reports on our strategic plan and the risks faced by the Company. The Board has delegated to the Nominating and Corporate Governance Committee of our Board responsibility for reviewing that Board oversight of key risks is appropriately handled by the full Board or delegated to a committee. The Audit Committee of the Board has the responsibility to provide oversight relating to the information security program and cybersecurity risks. Our Senior Vice President, Information Technology, provides briefings to the Audit Committee regularly, typically quarterly, on our information security program’s performance and the changing risk environment, including detection, mitigation, and response to cybersecurity incidents. The Audit Committee regularly provides updates to the Board on its activities, including its review of cybersecurity matters. Additionally, our IRP contemplates that the Audit Committee, and, if appropriate, the full Board would receive prompt and timely information about cybersecurity incidents that meet established thresholds under our IRP. As of the date of this report, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. The Company may not be able to fully, continuously, and effectively implement information security controls as intended. In addition, information security controls are subject to human error and, no matter how well designed or implemented, only mitigate and do not fully eliminate risks Furthermore, events, when detected by security tools or third parties, may not always be immediately understood or acted upon. For additional information regarding risks to the Company from cybersecurity threats, please see Part I, Item 1A Risk Factors We may be adversely impacted by a disruption, failure or security breach of our information technology infrastructure or failure to comply with privacy laws. . 46 Table of Contents

Company Information