SCOTTS MIRACLE-GRO CO 10-K Cybersecurity GRC - 2025-11-25

Page last updated on November 26, 2025

SCOTTS MIRACLE-GRO CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-25 16:57:04 EST.

Filings

10-K filed on 2025-11-25

SCOTTS MIRACLE-GRO CO filed a 10-K at 2025-11-25 16:57:04 EST
Accession Number: 0000825542-25-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Cybersecurity risk was identified as a significant enterprise risk based on the results of our most recent enterprise risk assessment. As a significant enterprise risk, we have worked to identify the underlying drivers of cybersecurity risk, identify the activities in place to manage it and assess its residual risk level. We have developed and implemented comprehensive strategies and processes to assess, identify, manage and mitigate cybersecurity risks, aligning with the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF"). These processes include: - implementing security event monitoring, incident response processes, access management controls, vulnerability identification and remediation, third-party risk monitoring and user awareness and training; - providing regular security training and awareness content for all associates, with mandatory training for new hires; - maintaining cybersecurity risk insurance to mitigate potential breach-related costs; - engaging consultants to perform periodic external assessments using industry-recognized frameworks like NIST CSF; and - monitoring program maturity through periodic reviews against the Capability Maturity Model Integration framework. Mitigating Risks Posed by Third Parties Risk Assessments We identify and categorize existing third-party service providers based on criticality to our operations and prioritize those that pose the highest risks. We leverage a third-party risk management solution to facilitate our risk assessment process for new third parties which includes interviews and questionnaires with internal business contacts and contacts from the third party to perform an inherent risk assessment. We determine applicable security controls based on the inherent risk level to drive the residual risk score to an acceptable level where possible. The goal of the risk assessment process is to evaluate the risks associated with each third party, including operational, financial, legal and reputational risks. Ongoing Monitoring Based on the residual risk score of a third party, we conduct assessments on a periodic basis to help ensure that we maintain current information on our vendors. We leverage an external third-party monitoring service to conduct continuous monitoring of our critical vendors to provide additional visibility and response efforts and work directly with vendors to remediate identified vulnerabilities. Finally, we review contracts that outline risk management responsibilities, compliance requirements, data protection and incident management protocols. Incident Management We have developed an incident response plan that establishes a process for addressing issues arising from third-party relationships and communication channels for reporting and managing incidents involving third parties. Documentation and Reporting We maintain detailed records of our third-party assessments and any information or documentation that is provided during the assessment process. We regularly review and report on third-party risk management activities and any significant issues to senior management and/or our Audit Committee. External Resources; Associate Training and Awareness We have developed a comprehensive information security program that relies on support from third-party experts and an internal training and awareness program aligned with industry standards and best practices. Given the complex and evolving nature of cybersecurity threats, we engage third-party advisors and consultants to assist us in developing and maintaining effective cybersecurity risk management processes. Partnering with these third parties allows us to leverage specialized knowledge and insights, better ensuring our cybersecurity strategies and processes are well-designed and effective. For example, we work with third parties to regularly conduct simulated attack exercises to identify additional needs for training and overall program refinement. Internally, our training and awareness program creates multi-layered defenses by empowering associates with knowledge and tools to recognize and respond to security risks. Through role-specific and comprehensive training, we seek to maintain a workforce that actively contributes to the achievement of our cybersecurity goals. Key components of our training program include: - Onboarding Training - All new associates participate in an initial cybersecurity training module at onboarding. This training covers the Company's security policies, data protection standards and foundational security practices helping to ensure that new hires are equipped to meet the Company's expectations pertaining to its security protocols. - Articles - We publish articles on our intranet site for all associates to easily access. These articles highlight emerging threats, industry trends and actionable tips to help associates enhance their personal and professional security posture. We target critical topics such as ransomware, social engineering, data management and the latest threats and best practices. - Phishing Simulations - Our phishing awareness program includes continuous phishing simulations conducted on a routine basis. This program helps associates develop the skills to effectively identify and mitigate phishing attempts. Associates who fail a threshold number of simulations during a calendar year are required to undergo additional training. - Cybersecurity Awareness Month Activities - We have implemented interactive, virtual and on-site awareness activities during Cybersecurity Awareness Month in October. These activities include phishing simulations, articles, lunch and learns and gamification to serve as refreshers on critical security concepts and reinforce our commitment to maintaining a security-conscious culture. Governance Our Board of Directors has overall oversight responsibility for our risk management and has delegated oversight of cybersecurity risks to our Audit Committee, including overseeing the actions management has taken to identify, monitor and control such exposure. On a quarterly basis, our Audit Committee reviews the measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. As part of our continued investment in developing our overall enterprise risk management program, our Audit Committee receives reports and presentations from management which address a range of cybersecurity topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment and technological trends. Our Chief Information Security Officer ("CISO") and information security management team report to our Audit Committee on a quarterly basis on cybersecurity matters. At the management level, our CISO leads the team responsible for implementing, monitoring and maintaining information security, including data protection practices across our business. Our CISO receives reports on cybersecurity threats from both our internal personnel and external partners on a regular basis. Our Chief Operating Officer and Chief Financial Officer receive regular reports from our CISO on the information security program and measures implemented by the Company to identify and mitigate cybersecurity risks. Our CISO works closely with our legal team to ensure compliance with legal and regulatory requirements related to cybersecurity. Our CISO has over a decade of cybersecurity and risk management experience and holds CISA, CISM and CISSP certifications as well as a bachelor's degree in Business Information Systems. Cybersecurity Threats and Incidents To date, cybersecurity incidents have not materially affected us, including our business strategy, results of operations or financial condition. During fiscal 2025, fiscal 2024 and fiscal 2023, the Company did not experience any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the Company or its business strategy, results of operations and/or financial condition. Despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents or provide assurances that we have not experienced undetected cybersecurity incidents. For additional details regarding the risks the Company faces from cybersecurity threats, see "ITEM 1A. RISK FACTORS - Risks Related to Our Business - Our operations, financial condition or reputation may be impaired if our information or operational technology systems fail to perform adequately or if we are the subject of a data breach or cyber attack" in this Form 10-K.

Company Information