SpartanNash Co 10-K Cybersecurity GRC - 2025-02-26

Page last updated on July 27, 2025

SpartanNash Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 16:10:48 EST.

Filings

10-K filed on 2025-02-26

SpartanNash Co filed a 10-K at 2025-02-26 16:10:48 EST
Accession Number: 0000950170-25-027738

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Management’s Role The Information Security function is led by the Company’s Director of Cybersecurity & Architecture, under the direction of the Chief Information Officer (“CIO”) . The Director of Cybersecurity & Architecture, assisted by a third-party fractional Chief Information Security Officer retained by the Company in August 2024, manages the Company’s Cybersecurity program . The Company’s cybersecurity management team includes members with relevant cybersecurity experience who hold cybersecurity certifications. Key responsibilities of this Information Security function include developing cybersecurity strategies; managing cybersecurity governance; performing cybersecurity risk assessments and tabletop exercises; ensuring compliance with security standards and regulatory requirements; managing identity and access; monitoring cybersecurity threats; validating cybersecurity alerts; preparing for and responding to cybersecurity incidents, business continuity and disaster recovery plans; and creating security awareness through periodic trainings of both Company leadership and Associates. The Company’s CIO, Director of Cybersecurity & Architecture, and Chief Legal Officer (“CLO”) have shared oversight responsibilities of the Company’s Cybersecurity program. Board Oversight The Company’s Board of Directors (“Board”) has appointed the Audit Committee to assist the Board in fulfilling its responsibilities with respect to the oversight of cybersecurity, data security, privacy programs, and the Company’s response to security breaches. Two Company Directors serving on the Audit Committee completed the National Association of Corporate Directors/Carnegie Mellon CERT cyber-risk oversight program along with required examinations and earned the CERT designation . The CIO provides at least quarterly updates to the Audit Committee on the Cybersecurity program , which include a current evaluation of the Company’s maturity within the National Institute of Standards and Technology (“NIST”) framework, including assessments against key performance indicators, updates on internal phishing campaigns, tabletop exercises conducted at various levels of the organization including with representation from the Audit Committee , and management training. The Audit Committee also reviews reports and recommendations from third parties periodically engaged by the Company to assess the cybersecurity control environment. In addition, the Company’s Internal Audit function periodically audits elements of the security program and reports its observations to the CIO, CLO and the Audit Committee . Risk Management and Strategy As a component of the Company’s overall risk management process, which is aligned with a broader Enterprise Risk Management framework, the Company has implemented a multi-layered approach to minimize cybersecurity risk and safeguard its data. The Company conducts cybersecurity risk assessments on a regular basis and responds to identified risk exposures by employing a combination of risk mitigation strategies, including the adoption of cybersecurity controls and maintaining a cybersecurity insurance policy that provides coverage for security breaches. The Company engages third party consultants periodically to evaluate elements of the cybersecurity policy, processes, procedures and controls. The CIO and other members of the Executive Leadership Team respond to applicable recommendations arising from the third-party consultants. In addition, the Company engages a Qualified Security Assessor as part of the compliance requirements for Payment Card Industry (“PCI”). The Company also engages with a third-party risk management provider to ensure its vendors comply with internal security and privacy requirements and that key vendors are continually monitored for security risks. The Company’s cybersecurity governance practices are based on the Company’s common control framework which incorporates elements from the NIST Cybersecurity Framework, the Center for Internet Security’s benchmark standards, and specific regulatory and industry requirements including Health Insurance Portability and Accountability Act and PCI. - 16 - The CIO provides at least quarterly updates on the cybersecurity program, including the results of the cybersecurity risk assessments and the related responses, to the Company’s Security Governance Council composed of members of the Executive Leadership Team. The Company has a Cybersecurity Policy, Privacy Policy, Cybersecurity Incident Response Plan, and a materiality assessment framework inclusive of disclosure controls and procedures to assist the Company in satisfying disclosure obligations. The Company continually monitors cybersecurity threats and has a dedicated cybersecurity team in place to identify if any of the threats may lead to a cybersecurity incident. In the event of such an incident, the Company will take decisive measures to thoroughly analyze, contain, and eliminate the threat. The Company reviews cybersecurity incidents through a materiality assessment framework, which provides quantitative and qualitative considerations for evaluating the magnitude of an individual event. Based on the preliminary evaluation of an event, the Company’s Cybersecurity Incident Disclosure Committee will convene to assess materiality and determine corrective actions and internal and external disclosure requirements. The Cybersecurity Incident Disclosure Committee is composed of the following individuals: the Chief Financial Officer, Corporate Controller, CLO, and CIO. Effect of Cybersecurity Threats As of the effective date of this filing, the Company is currently not aware of any known or potential cybersecurity threats that are reasonably likely to materially affect the Company’s business strategy, results of operations, or financial conditions. Although the Company believes it has implemented sufficient security measures to protect against cyber-attacks, unknown cyber incidents could materially disrupt the Company’s operations or compromise sensitive information.

Company Information