WK Kellogg Co 10-K Cybersecurity GRC - 2024-03-08

Page last updated on April 11, 2024

WK Kellogg Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-08 16:05:31 EST.

Filings

10-K filed on 2024-03-08

WK Kellogg Co filed an 10-K at 2024-03-08 16:05:31 EST
Accession Number: 0001628280-24-009949

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy. The Company manages cybersecurity risk as part of our overall enterprise risk management strategy, overseen by the Audit Committee and the Board of Directors. The Company has developed an information security program to address material risks from cybersecurity threats. The program includes processes identifying how security measures and controls are developed, implemented, and maintained. Our cybersecurity processes align with the National Institute of Standards and Technology (NIST CSF) Framework. The company conducts regular risk assessments on systems and applications to detect potential risks, threats, and vulnerabilities. Additionally, annual assessments are conducted to evaluate the effectiveness of controls. Risk assessment, risk-based analysis, and judgment are used to select security controls to address risks. During this process, the following factors, among others, are considered: likelihood and severity of risk, impact on the Company and others if a risk materializes, feasibility and cost of controls, and impact of controls on operations and others. Several controls are employed to differing extents, encompassing but not restricted to endpoint threat detection and response (EDR), identity and access management (IAM), privileged access management (PAM), logging and monitoring utilizing security information and event management (SIEM), multi-factor authentication (MFA), firewalls, intrusion detection, and prevention, as well as vulnerability and patch management. Third-party security firms are used in different capacities to provide or operate some of these controls and technology systems. For example, third parties conduct assessments, such as vulnerability scans, penetration testing, and overall risk assessments, and third-party tools are utilized to identify potential vulnerabilities. The Company employs a variety of processes to address cybersecurity threats related to third-party technology and services, including privacy, solution and vendor risk assessments, imposition of contractual obligations, and performance monitoring. The Company also relies on services provided by Kellanova, a third-party entity, through a Transition Service Agreement (TSA). This agreement ensures the seamless continuation of essential operations during transitional phases. To support our preparedness, the Company has a written incident response preparedness plan that we update as business needs and the security landscape change. In the event of a cybersecurity incident, our incident response team refers to the plan, and the Company conducts tabletop exercises to enhance incident response preparedness. The plan sets out clear response procedures, define roles, categorize incidents, determine materiality, record responses, comply with regulatory standards, assist in public disclosure, and lessen the impact on stakeholders. It is designed to enable a prompt, uniform, and efficient strategy to reduce the financial, operational, legal, and reputational risks associated with cybersecurity incidents. Business continuity and disaster recovery plans are used 34 to prepare for the potential disruption of technology we rely on. The Company has implemented a user awareness program to enhance cybersecurity measures. These include phishing, malware, data handling, device security, cybersecurity education, password security, internet browsing and defenses to physical threats. As part of our overall risk mitigation strategy, the Company also maintains cyber insurance coverage; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyberattacks and other related breaches. The Company (or third parties it relies on) may not be able to fully, continuously, and effectively implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine the security controls to implement, and it is possible we may not implement appropriate controls if we do not recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate risks and events, when detected by security tools or third parties, may not always be immediately understood or acted upon. For further discussion of these risks, see Risk Factors Risks Related to Our Intellectual Property and Technology Technology failures, cyber-attacks, privacy breaches or data breaches could disrupt our operations or reputation and negatively impact our business. Governance The Company has a Governance, Risk, and Compliance (GRC) IT function to address enterprise risks; cybersecurity is a category handled by that function. Cybersecurity is a vital pillar within a comprehensive risk management framework, fostering cross-functional collaboration to fortify organizational resilience against digital threats. The Company has a privacy and security governance committee. The company operates a privacy and security governance committee and a cybersecurity team led by a Chief Information Security Officer. With extensive cybersecurity experience across IT services, Telecom, and Manufacturing sectors, the Chief Information Security Officer spearheads cybersecurity risk and strategy and directly reports to the Chief Information Officer. Additionally, as part of our overall enterprise risk management strategy, our Audit Committee, which consists solely of independent directors, oversees cybersecurity and receives updates on cybersecurity matters, which include a review of potential digital threats and vulnerabilities, cybersecurity priorities, and our cybersecurity framework. As of December 30, 2023, we are not aware of any material cybersecurity incidents that impacted the Company or are reasonably likely to impact the Company materially. However, we have been the target of cyber attacks and expect them to continue as cybersecurity threats rapidly evolve in sophistication and become more prevalent in the industry. We face risks of incidents, whether through cyberattacks or cyber intrusions through the Cloud, the Internet, phishing attempts, ransomware and other forms of malware, computer viruses, email attachments, extortion, and other scams.

Company Information