Mission Produce, Inc. 10-K Cybersecurity GRC - 2025-12-18

Page last updated on December 18, 2025

Mission Produce, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-12-18 16:22:19 EST.

Filings

10-K filed on 2025-12-18

Mission Produce, Inc. filed a 10-K at 2025-12-18 16:22:19 EST
Accession Number: 0001802974-25-000048

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity and Information Technology Governance Our Board of Directors addresses the Company's cybersecurity risk management as part of its general oversight function. The Board of Directors has delegated to the Audit Committee oversight of cybersecurity risk management processes, including oversight of mitigation of risks from cybersecurity threats, and management provides regular reports to the Audit Committee and the Board of Directors regarding cybersecurity and other information technology risks and the processes the Company has implemented to address them. Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Chief Information Officer (CIO), who has 30 years of information technology experience and 15 years of cybersecurity experience, who oversees our information security program and is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company's overall risk management strategy, and communicating key priorities to relevant personnel. Our Chief Financial Officer and other executive officers are responsible for setting budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response plan is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances. Management works with the Company's incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company's incident response plan includes reporting to the audit committee of the board of directors for certain cybersecurity incidents as appropriate. Risk management and strategy Our Information Technology and Information Security teams, led by our CIO, are responsible for leading enterprise-wide cyber resilience strategy, policy, standards, architecture, and processes and helps identify, assess and manage the Company's cybersecurity threats and risks, including through the use of the Company's risk register. We have implemented and maintain various technical, physical, and organizational measures, processes, standards, and policies designed to protect and continue to improve the security of our computer systems, software, networks, and other technology assets. Our security efforts are designed to preserve the confidentiality, integrity, and continued availability of the critical information owned by, or in the care of, the Company, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and customer and business partner data, and protect against, among other things, cybersecurity attacks by unauthorized parties attempting to obtain access to confidential information, destroy data, disrupt, or degrade service, sabotage systems, or cause other damage. Our information security program is integrated into our overall enterprise risk management program and shares common reporting channels and governance processes that apply to other legal, compliance, strategic, operational, and financial risk areas. Depending on the environment, systems, and data, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our information systems and critical data, including, for example, an incident response plan, incident detection and response processes, disaster recovery plans, risk assessments, encryption of certain data, network security controls, access controls, physical security, systems monitoring, penetration testing, cybersecurity insurance, vendor risk management processes, and employee training, and employment of a defense-in-depth methodology. We leverage internal resources, along with strategic external partnerships, to mitigate cybersecurity threats to the Company. We have partnerships for Security Operations Center (SOC) services and various third-party assessments of our cybersecurity practices. We deploy both commercially available solutions, such as firewall and antivirus software, and proprietary systems to manage threats to our information technology environment actively. 17 Certain of our information technology applications are externally audited as part of our Sarbanes-Oxley audit program and our controls include information security standards. We regularly engage appropriate external resources regarding emerging threats to navigate the diverse cybersecurity landscape. The Company has established well-defined response procedures to effectively address cyber events that may occur despite these robust safeguards. These response procedures are designed to identify, analyze, contain, and remediate such cyber incidents to ensure a timely, consistent, and compliant response to actual or attempted data incidents impacting the Company. Further, we also carry third-party cybersecurity insurance. We employ an information security and training program for our employees, including mandatory computer-based training, regular internal communications, and ongoing end-user testing to measure the effectiveness of our information security program. As part of this commitment, we require our employees to complete a Cybersecurity Awareness eCourse and acknowledge our Information Security policies. In addition, we have an established schedule and process for regular phishing awareness campaigns that are designed to emulate real-world contemporary threats and provide immediate feedback (and, if necessary, additional training or remedial action) to employees. We use third-party service providers to perform a variety of functions throughout our business, including software and cloud data service providers, for certain areas of our business, including sourcing/procurement, supply chain, manufacturing, distribution, information technology support services and administrative functions (such as payroll processing, health and benefit plan administration and certain finance and accounting functions). We have vendor management processes to manage cybersecurity risks associated with our use of certain of these providers. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including "System security risks, data protection breaches, cyber-attacks (including artificial intelligence (AI)-enabled threats), AI-related operational errors, and systems integration issues could disrupt our internal operations or services provided to customers, and any such disruption could reduce our expected revenue, increase our expenses, damage our reputation and adversely affect our stock price."

Company Information