CONSTELLATION BRANDS, INC. 10-K Cybersecurity GRC - 2024-04-23

Page last updated on April 23, 2024

CONSTELLATION BRANDS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-23 12:45:24 EDT.

Filings

10-K filed on 2024-04-23

CONSTELLATION BRANDS, INC. filed an 10-K at 2024-04-23 12:45:24 EDT
Accession Number: 0000016918-24-000054

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risk management and strategy We have developed and implemented an enterprise-wide cybersecurity program designed to provide structured and thorough cybersecurity risk management and governance. Our cybersecurity program prioritizes, among other things, prevention of unauthorized access protection of sensitive information detection, assessment, and response to cyber threats and continuous improvement of our cybersecurity measures. We seek to achieve our cybersecurity program priorities through a multi-pronged approach to address cyber threats and incidents that includes implementation of various industry best practices, proactive monitoring of our IT systems, ongoing employee training, and regular risk assessments. We also maintain cyber insurance coverage to help mitigate a portion of the potential costs in the event of covered events. Our cybersecurity program is aligned with various frameworks for managing cybersecurity risks, such as the National Institute of Standards and Technology Cyber Security Framework for IT systems and International Electrotechnical Commission 62443 which governs cybersecurity for Industrial Control Systems. This program is a component of our ERM function. Our ERM function manages enterprise-wide risk and has established a governance structure in charge of continuous risk management. It has defined risk management processes related specifically to cybersecurity, which include targeted cyber risk reviews and annual cyber risk assessments over our IT and operations. We also have a Cyber and Privacy Risk Committee, led by our CISO, which provides strategic and actionable recommendations on cybersecurity topics, issues, and controls to our executive management team, and a Crisis Management Committee, led by our head of ERM, which manages significant cybersecurity events. We rely upon both internal and external resources for evaluating and enhancing our cyber posture. At least annually, our information security and internal audit teams conduct comprehensive internal and external penetration testing, supplemented by more frequent Purple-team Tests that are designed to identify critical areas of our technical environment and potential vulnerabilities that may need to be addressed. Our information security team also retains external cybersecurity firms to review and provide feedback on improving our cybersecurity program, including in the areas of data protection, threat and vulnerability management, and end-point protection. We conduct tabletop exercises to prepare for potential cyber incidents and assess our cybersecurity preparedness and processes. We also require annual cybersecurity training by our employees, conduct regular exercises to help our employees recognize phishing emails and other social engineering tactics, and provide various methods for employees to report suspicious activity that may give rise to a cyber incident or threat. Significant results of such testing and reviews are communicated to our executive management team and our Audit Committee, as applicable, and are utilized in our cybersecurity program s continuous improvement process. In response to the growing risks associated with third-party service providers, we have established review processes for assessing the technological and information security controls of our third-party suppliers to attempt to identify material cybersecurity risks associated with such providers, their IT systems, and their access to our IT systems that could significantly disrupt our operations. These processes encompass a range of measures, such as pre-engagement cybersecurity due diligence for providers who access our IT systems or information before their engagement, ongoing monitoring and evaluation of our providers, detailed examination of available System and Organization Controls attestation reports, and inclusion of relevant contractual provisions in our agreements with third-party service providers with respect to areas including cyber protections, notifications, auditing, and risk allocation. We maintain an IRP, which provides a set of core practices and procedures when responding to certain high-risk information security threats and incidents, and a CMP, which is designed to ensure appropriate resources are utilized to provide an effective, timely, and coordinated response in managing crises, including significant cyber threats and incidents. Among other things, the IRP sets forth roles and responsibilities in connection with detecting, assessing, and mitigating cybersecurity incidents and outlines applicable communication and escalation protocols. Under the CMP, our Crisis Management Committee will assume overall responsibility in an effort to Constellation Brands, Inc. FY 2024 Form 10-K #WORTHREACHINGFOR I 30 PART I OTHER KEY INFORMATION Table of Contents ensure that the appropriate functions and work streams are mobilized and coordinated to effectively manage any significant cyber events. As with all large IT systems, we have been a target of cyberattackers and other hacking activities, as have certain of our third-party service providers. While our cybersecurity program is designed to prevent unauthorized access and protect sensitive information, including through continuous improvement of our cybersecurity measures, and we have not experienced any material cyber threats or incidents to date, we can give no assurance that we will be able to prevent, identify, respond to, or mitigate the impact of all cyber threats or incidents. To the extent future cyber threats or incidents result in significant disruptions and costs to our operations, reduce the effectiveness of our internal control over financial reporting, or otherwise substantially impact our business, it could have a material adverse effect on our business, liquidity, financial condition, and/or results of operations. For additional discussion on our cybersecurity risks, refer to Item 1A. Risk Factors of this Form 10-K. Cybersecurity governance Our Board of Directors oversees the management of risks inherent in the operation of our business, with a focus on the most significant risks that we face, including those related to cybersecurity. The Board of Directors has delegated oversight of cybersecurity, including privacy and information security, as well as enterprise risk management to the Audit Committee. In connection with that oversight responsibility, our CDIO and CISO meet with the Audit Committee on a quarterly basis and provide information and updates on a range of cybersecurity topics which may include our cybersecurity program and governance processes cyber risk monitoring and management the status of projects to strengthen our cybersecurity and privacy capabilities recent significant incidents or threats impacting our operations, industry, or third-party suppliers and the emerging threat landscape. Our head of ERM also meets with our executive management team and the Audit Committee on a quarterly basis and with the Board of Directors on an annual basis and reports on applicable cyber risk management processes and activities pertinent to the ERM function. Our enterprise-wide cybersecurity program is managed by a dedicated information security team, including our Cyber and Privacy Risk Committee described above, led by our CISO. Our CISO has more than 25 years of technology experience across various disciplines, including nearly 15 years of experience as a CISO in the financial, manufacturing, and CPG industries. He has led our global information security organization for almost four years. In addition to his employment experience in the cybersecurity field, our CISO has a Master of Business Administration in management and operations and a Bachelor s Degree in technology management, and he has served on corporate and industry advisory boards related to cybersecurity, all of which have provided him with skills and experience to manage our global information security function. Our CISO reports to our CDIO, who meets regularly with other members of our executive team and provides relevant updates on our cybersecurity program. Constellation Brands, Inc. FY 2024 Form 10-K #WORTHREACHINGFOR I 31 PART I OTHER KEY INFORMATION Table of Contents

Company Information