Albertsons Companies, Inc. 10-K Cybersecurity GRC - 2024-04-22

Page last updated on April 22, 2024

Albertsons Companies, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-22 08:33:49 EDT.

Filings

10-K filed on 2024-04-22

Albertsons Companies, Inc. filed an 10-K at 2024-04-22 08:33:49 EDT
Accession Number: 0001646972-24-000060

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C - Cybersecurity Risk Management and Strategy Our cybersecurity risk management processes for assessing and managing risks from cybersecurity threats include proactively identifying and detecting internal and external threats and vulnerabilities and mitigating, containing or eradicating attacks, as necessary. To ensure the highest levels of availability and integrity of critical business systems and services, we have designed a comprehensive risk reduction strategy. Our cybersecurity related risk management processes include assessing risk based on business criticality, data classification, disaster recovery rating, and security monitoring our operations (e.g., network, systems, retail stores, manufacturing plants and distribution centers) to determine where and how critical business operations could be impacted by a cyber incident. We maintain a risk repository and partner with technology and business teams to remediate risk. Our cybersecurity team conducts regular risk assessments to analyze the likelihood of compromise and magnitude of harm caused by unauthorized access, use, disclosure, disruption, modification, or destruction of the Company’s systems and data. We also perform risk assessments on our third-party suppliers. We make reasonable efforts to require third-party service providers to manage vulnerabilities in their environments to prevent the risk of impact to our business operations and enterprise network. We also undertake an annual National Institute of Standards and Technology (NIST) Cybersecurity Framework assessment, conducted by a third party, to ensure our cybersecurity program is maturing in-line with industry and includes the key functions and capabilities to address key risk areas. Collectively with our technology partners, we continuously (24/7) monitor our systems and assets to quickly respond to cybersecurity threats against our business. We conduct vulnerability scanning of our infrastructure and applications to identify risk and work with relevant stakeholders to proactively remediate risk where necessary. Additionally, we partner with multiple third-party managed security service providers (“MSSP”) for enhanced monitoring of our information technology and data security environment and to perform proactive detection and investigation of malicious activity within our network. We have defined processes with our third-party MSSPs for handling and escalating identified potential malicious activity within the Company s information technology environment. MSSPs and internal stakeholders perform response actions when a security event is identified. Additionally, we meet regularly with our MSSPs to enhance processes and to ensure service level requirements are being met. Information security risk events are managed by following our cyber incident response plan and executed by our cybersecurity team in coordination with stakeholders (including legal counsel) who review and assess materiality based on qualitative and quantitative factors. In the case of a risk event that has a broad organizational impact, the event will be escalated to the Company s Corporate Crisis Management Team comprised of senior leadership who will execute a tailored response plan, activate notification procedures where applicable, and guided by legal counsel, coordinate communications with appropriate business partners, and manage the incidents through closure. We conduct annual tabletop exercises to test our response processes and incident management procedures. The outcomes from these exercises are used to drive continuous improvement in how we handle cybersecurity incidents. Governance Our Board of Directors (“Board”) is engaged in risk management and the oversight of Company-wide risks. To supplement its risk oversight function, our Board has delegated certain risk management responsibilities to the Audit and Risk Committee (the “Audit Committee”) and the Technology Committee of the Board. As part of its responsibility related to enterprise-wide risk management, the Audit Committee reviews and discusses with management cybersecurity risks, how they are being addressed and the effectiveness of risk management policies and practices to help safeguard the Company’s operations, financial systems, and data in an ever-evolving threat landscape. The internal audit team, in its quarterly compliance and risk assessment update to the Audit Committee, reports on its reviews of the Company’s cybersecurity risk exposures, controls and management actions. 31 Table of Contents In addition to this regular reporting, significant cybersecurity incidents, risks or threats may also be escalated on an as-needed basis to the Audit Committee. The Technology Committee is responsible for oversight of the Company’s technology risk management, including but not limited to the Company’s technology related policies, technology architecture, significant emerging technology issues and trends that may affect the Company, and practices and safeguards for information technology, cybersecurity, and data security. Our Chief Information Security Officer (“CISO”) presents cybersecurity related topics quarterly to the Technology Committee, including reviews of key information security risk metrics and program maturity progress, and annually updates the Board on external assessments. At the management level, our cybersecurity organization is led by the Company’s CISO, who reports to the Company’s Chief Technology and Transformation Officer. The CISO is responsible for all aspects of our cybersecurity program across the Company, which includes cybersecurity engineering and architecture, cybersecurity operations, incident response, threat intelligence, identity and access management, cybersecurity risk and compliance, and vulnerability management. Our CISO has served in leadership roles across the retail, financial services, and national security sectors. Before joining the Company, he was Deputy CISO at Capital One Financial Corp. and Deputy Assistant Secretary of Defense for Cyber Policy. He earned a BS in Mechanical Engineering from the University of Virginia, MS in Telecommunications and Computers from George Washington University, and MBA from the Stanford Graduate School of Business. He continues to serve as a Colonel in the United States Air Force Reserve as a Senior Advisor to the Commander of USCYBERCOM. Risks from Material Cybersecurity Threats As of the date of this report, we have not identified any cybersecurity threats that have materially affected or are reasonably anticipated to have a material effect on the Company. Although we have not experienced cybersecurity incidents that are individually, or in the aggregate, material, we have experienced cyberattacks in the past, which have been mitigated by preventive, detective, and responsive measures put in place by the Company. For a detailed discussion of the Company s cybersecurity related risks, see “Item 1A. Risk Factors Risks Related to Information Security, Cybersecurity, Data Privacy and Evolving Technologies.” 32 Table of Contents

Company Information