Archer-Daniels-Midland Co 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

Archer-Daniels-Midland Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 06:01:10 EDT.

Filings

10-K filed on 2024-03-12

Archer-Daniels-Midland Co filed an 10-K at 2024-03-12 06:01:10 EDT
Accession Number: 0000007084-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY The Company faces significant and persistent cybersecurity risks due to: the breadth of geographies, networks, and systems ADM must defend against cybersecurity attacks such as exploitation of vulnerabilities, ransomware, denial of service, supply chain attacks, or other similar threats the attractiveness of the Company s systems and processes to threat actors (including state-sponsored organizations) seeking to inflict harm on ADM or its customers the substantial level of harm that could occur to the Company and its customers in case of a material cybersecurity incident and ADM s use of third-party products, services and components. During the year ended December 31, 2023, the Company has not identified risks from cybersecurity threats, including as a result of prior cybersecurity incidents, that have materially affected or are reasonably anticipated to materially affect the Company, including its business strategy, results of operations, or financial condition. Nevertheless, the Company recognizes cybersecurity threats are ongoing and evolving. For more information on the Company’s cybersecurity risks, refer to Item 1A, Risk Factors . ADM is committed to supporting the governance and oversight of cybersecurity risks and to implementing mechanisms, controls, technologies, and processes designed to help the Company assess, identify, and manage these risks. Cybersecurity risks are included in the risk universe that the Company s ERM function evaluates, with input from information security subject matter experts at the Company, to assess top risks to the enterprise. The ERM process provides input into our strategic planning process, such as development of action plans to address and mitigate identified risks. Integrating cybersecurity risk into the overall ERM process in this manner assists the Company in identifying, assessing, and managing material cybersecurity risks. 27 Item 1C. CYBERSECURITY (Continued) The Company has a dedicated cybersecurity team that collaborates with compliance, privacy, legal, and other teams across the global organization to assess the risk landscape. ADM s cybersecurity program is designed to be aligned with applicable industry standards and is assessed regularly by independent third-party auditors. The multifaceted nature of the Company s cybersecurity measures includes aspects of prevention, detection, and response capabilities, employee training programs, threat intelligence monitoring, and the implementation of an array of technologies. The Company has established processes to oversee and identify cybersecurity risks associated with the use of third-party service providers, which include the completion of due diligence before engaging with any third party, controls for response to mitigate any significant risks, and assessments and reviews during the course of the relationship. Additionally, the Company has ongoing partnerships with government and commercial cybersecurity experts to understand emerging cybersecurity threats. The Company has seen an increase in cyberattack volume, frequency, and sophistication. ADM seeks to detect and investigate unauthorized attempts and attacks against its network, products, and services, and to prevent their occurrence and recurrence where practicable through changes or updates to the Company s internal processes and tools however, ADM remains potentially vulnerable to known or unknown threats. The Company s cyber incident response plan includes an escalation process if a cybersecurity incident meets specific rating criteria to trigger swift and effective action designed to minimize potential disruptions and protect the integrity of our operations. The Company also conducts periodic cybersecurity scenarios with senior management to enhance preparedness. The Board of Directors has oversight of cybersecurity risk, which it manages as part of the ERM program. The Board of Directors is assisted by the Audit Committee, which regularly reviews the cybersecurity program with management and reports to the Board of Directors. Cybersecurity reviews by the Audit Committee or the Board of Directors generally occur quarterly, or more frequently as determined to be necessary or advisable. In recent years, the Board added a director who had served as Chief Information Officer for a large public company with sensitive information to assist the Board and Audit Committee in overseeing cybersecurity risks. The Company s cybersecurity program is led by the Chief Information Security Officer (CISO), who reports to the Senior Vice President and Chief Technology Officer (CTO). The CISO is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from professionals in the information security team, many of whom hold cybersecurity certifications in Information Systems Security or Information Security Management, and through the use of technological tools and software and results from third party audits. Additionally, the CISO directs the Global Information and Cyber Security Council (the Council ), which includes a diverse range of relevant experts. The Council includes management from global technology, compliance, privacy, controlling, operations, security, automation, ERM, and internal audit. The Council promotes alignment and communication of new and ongoing cybersecurity prevention techniques and provides a forum for staying current on the latest cybersecurity threats. The CISO and CTO have extensive experience assessing and managing cybersecurity programs and cybersecurity risk. The CISO has served in that position since 2018 and, was previously the Vice President, Head of Enterprise Security, Americas at Worldpay and a Security Principal/Strategist for Hewlett Packard Enterprises for a combined cybersecurity experience of 20 years. The CTO joined ADM in 2016 and was previously Senior Vice President and Chief Information Officer at Dow Corning Corporation for approximately 6 years.
Item 1C. CYBERSECURITY (Continued) The Company has a dedicated cybersecurity team that collaborates with compliance, privacy, legal, and other teams across the global organization to assess the risk landscape. ADM s cybersecurity program is designed to be aligned with applicable industry standards and is assessed regularly by independent third-party auditors. The multifaceted nature of the Company s cybersecurity measures includes aspects of prevention, detection, and response capabilities, employee training programs, threat intelligence monitoring, and the implementation of an array of technologies. The Company has established processes to oversee and identify cybersecurity risks associated with the use of third-party service providers, which include the completion of due diligence before engaging with any third party, controls for response to mitigate any significant risks, and assessments and reviews during the course of the relationship. Additionally, the Company has ongoing partnerships with government and commercial cybersecurity experts to understand emerging cybersecurity threats. The Company has seen an increase in cyberattack volume, frequency, and sophistication. ADM seeks to detect and investigate unauthorized attempts and attacks against its network, products, and services, and to prevent their occurrence and recurrence where practicable through changes or updates to the Company s internal processes and tools however, ADM remains potentially vulnerable to known or unknown threats. The Company s cyber incident response plan includes an escalation process if a cybersecurity incident meets specific rating criteria to trigger swift and effective action designed to minimize potential disruptions and protect the integrity of our operations. The Company also conducts periodic cybersecurity scenarios with senior management to enhance preparedness. The Board of Directors has oversight of cybersecurity risk, which it manages as part of the ERM program. The Board of Directors is assisted by the Audit Committee, which regularly reviews the cybersecurity program with management and reports to the Board of Directors. Cybersecurity reviews by the Audit Committee or the Board of Directors generally occur quarterly, or more frequently as determined to be necessary or advisable. In recent years, the Board added a director who had served as Chief Information Officer for a large public company with sensitive information to assist the Board and Audit Committee in overseeing cybersecurity risks. The Company s cybersecurity program is led by the Chief Information Security Officer (CISO), who reports to the Senior Vice President and Chief Technology Officer (CTO). The CISO is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from professionals in the information security team, many of whom hold cybersecurity certifications in Information Systems Security or Information Security Management, and through the use of technological tools and software and results from third party audits. Additionally, the CISO directs the Global Information and Cyber Security Council (the Council ), which includes a diverse range of relevant experts. The Council includes management from global technology, compliance, privacy, controlling, operations, security, automation, ERM, and internal audit. The Council promotes alignment and communication of new and ongoing cybersecurity prevention techniques and provides a forum for staying current on the latest cybersecurity threats. The CISO and CTO have extensive experience assessing and managing cybersecurity programs and cybersecurity risk. The CISO has served in that position since 2018 and, was previously the Vice President, Head of Enterprise Security, Americas at Worldpay and a Security Principal/Strategist for Hewlett Packard Enterprises for a combined cybersecurity experience of 20 years. The CTO joined ADM in 2016 and was previously Senior Vice President and Chief Information Officer at Dow Corning Corporation for approximately 6 years. Item 2. PROPERTIES The Company s operations are such that most products are efficiently processed near the source of raw materials. Consequently, the Company has many plants strategically located in agricultural commodity producing areas. The annual volume of commodities processed will vary depending upon availability of raw materials and demand for finished products. The Company also owns approximately 160 warehouses and terminals primarily used as bulk storage facilities and has 67 innovation centers. Processing plants and procurement facilities owned or leased by unconsolidated joint ventures are not included in the tables below. To enhance the efficiency of transporting large quantities of raw materials and finished products between the Company s procurement facilities and processing plants and also the final delivery of products to its customers around the world, the Company owns approximately 1,900 barges, 10,100 rail cars, 230 trucks, 1,200 trailers, 140 boats, and 3 oceangoing vessels and leases, under operating leases, approximately 640 barges, 21,800 rail cars, 350 trucks, 500 trailers, 24 boats, and 22 oceangoing vessels. 28

Company Information