FLOWERS FOODS INC 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

FLOWERS FOODS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 15:56:51 EST.

Filings

10-K filed on 2026-02-25

FLOWERS FOODS INC filed a 10-K at 2026-02-25 15:56:51 EST
Accession Number: 0001193125-26-071441

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybers ecurity Protecting the confidentiality, integrity, and availability of our information systems is critical to our business operations, brands, and stakeholders. We maintain an enterprise cybersecurity program with processes to assess, identify, and manage material risks from cybersecurity threats. These processes are integrated into our enterprise risk management ("ERM") framework and address risks that could arise from our own operations as well as incidents at third-party service providers or partners Risk Management and Strategy . Our cybersecurity program is aligned to industry-recognized frameworks (including the NIST Cybersecurity Framework) and is designed to evolve as threats and our business change. However, this does not mean that we will meet, or maintain, any particular technical standard, specification, framework, or requirement in the future, but rather we use the NIST Cybersecurity Framework and other standards as a guide to help us identify, assess and manage cybersecurity risks relevant to our business. Key elements include: - Threat identification and prevention: Layered technical and administrative controls informed by internal/external threat intelligence and periodic vulnerability assessments and penetration testing conducted with qualified third parties. - Incident preparedness: A documented Computer Security Incident Response Plan ("CSIRP") that establishes an organizational framework and guidelines to assist the company in identifying, responding to, and recovering from computer security incidents both at the company and its third-party service providers in connection with incidents that may impact the company , including the security incident management team (the "SIM Team"), a legal team (the "Legal Team") and the computer security incident response team (the "CSIRT") and regular tabletop exercises involving cross-functional stakeholders to validate readiness. - Training and awareness: Mandatory training for employees and contractors, phishing simulations, and user-friendly reporting tools for suspected phishing or security issues. - Third-party risk: Risk-based due diligence and contractual requirements for selected vendors and service providers and ongoing performance monitoring proportionate to the services provided. 22 We also periodically benchmark elements of our program and may engage independent experts to assess specific controls or processes as part of our continuous improvement efforts. In addition, we maintain cyber insurance coverage designed to help mitigate potential financial impacts of certain cybersecurity incidents. However, there is no guarantee that such coverage will be sufficient to address costs, liabilities and damages we may incur in connection with a cybersecurity incident or that such coverage will continue to be available on commercially reasonable terms or at all. Governance. The company's board of directors (the "Board" or "Board of Directors") oversees the company's Information Security program, which is approved annually. The audit committee is tasked with oversight of certain risk issues, including cybersecurity, and regularly reports its activities to the Board of Directors. As described in its charter, the audit committee of the Board of Directors oversees risks related to information technology security and regularly reviews and discusses with the VP of Information Security & Compliance and other members of management the company's information technology security risk exposures, including (a) the potential impact of those exposures on the company's business, financial results, operations and reputation, (b) the steps that management has taken to monitor and mitigate such exposures, (c) the company's information governance policies and programs, and (d) legislative and regulatory developments that could materially impact the company's privacy and data risk exposure. Management's execution of the cybersecurity program is led by our Vice President of Information Security & Compliance, who reports directly to the company's chief financial officer. The VP of Information Security & Compliance has responsibility for information security strategy and operation and managing and assessing material risks from cybersecurity threats. This individual has a variety of IT security skills, experiences and professional expertise, obtained through work experience and information security certifications and education. The VP of Information Security & Compliance regularly reports to the audit committee regarding policies and processes for assessing and managing risk associated with information technology and cybersecurity, as well as material cybersecurity incidents. In consultation with the VP of Information Security & Compliance, each of the SIM Team, the Legal Team, and the CSIRT, has a discrete set of responsibilities and obligations under the CSIRP. The CSIRT is a broad, cross-functional team of management stakeholders assigned with coordinating, developing, and managing the company's response to computer security incidents when activated. The CSIRP provides, when activated, the CSIRT will lead all aspects of incident response, including the engagement of outside counsel and other third-party resources, such as an external incident response team, forensic resources, a crisis management or public relations firm, or notification service providers. If the CSIRT is activated, incidents are escalated to a subcommittee of our Disclosure Committee, comprised of senior executives and leaders throughout the company, for materiality assessment and disclosure determinations consistent with applicable SEC requirements. For incidents where the CSIRT is not activated, either the SIM Team or the Legal Team, depending on the circumstances, is expected to lead and manage the incident response. Impacts of Cybersecurity Threats. To date, we do not believe that any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition . We continue to monitor the evolving threat environment, including ransomware, third-party incidents, and risks to operational technology systems, and we may experience cybersecurity events in the future that could have a material impact. Cautionary Note. We do not disclose specific technical information about our security architecture, control configurations, or vulnerabilities where such detail could impede our ability to respond to threats or could be used by threat actors to cause harm. Our disclosures are designed to provide decision-useful information to investors while maintaining appropriate security.

Company Information