Dole plc 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

Dole plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 16:10:12 EST.

Filings

10-K filed on 2026-03-02

Dole plc filed a 10-K at 2026-03-02 16:10:12 EST
Accession Number: 0001857475-26-000028

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Dole recognizes cybersecurity as an integral component of our enterprise risk management framework and the identification, assessment and management of cybersecurity threats are embedded into the Company's overall risk management strategy and infrastructure. At the global level, an Executive Information Technology and Security Steering Committee ("IT Steering Committee") is accountable for developing processes to identity and address risks from cybersecurity threats, including the unauthorized access, use, disruption, modification or destruction of our information systems and networks or the information residing on those systems and networks. The IT Steering Committee includes the Chief Operating Officer, Chief Financial Officer, the Director of Global Information Security ("DGIS") and the two most senior IT leaders. The DGIS is responsible for ensuring that appropriate administrative, technical and physical safeguards are implemented across the Group. These processes that the DGIS is responsible for include, but are not limited to, maintaining and enhancing information security policies and procedures, implementing effective internal controls, increasing safeguards of information systems and related data, evaluating threats and vulnerabilities of information technology infrastructures and improving incident evaluation, communication and response. The DGIS supports the implementation of these processes at the local operating level, working closely with operational IT and cybersecurity teams to ensure ownership of the security of their IT systems. To strengthen this alignment, the DGIS has also established a technical cybersecurity team embedded across the business verticals, enabling local implementation of security measures while ensuring consistency with the Company's overall cybersecurity strategy. The DGIS is responsible for developing, maintaining and monitoring cybersecurity tools including the global cybersecurity roadmap, maturity model, metrics, risk register and training program. For example, the DGIS executes structured assessments against industry standards and regulatory expectations to inform enhancements to our layered defense model and strengthen our monitoring capabilities. The Company emphasizes the importance of security training to help create a stronger culture of security. These measures support our ability to identify, evaluate, and mitigate threats in a consistent manner across the Company. The Company's cybersecurity risk management process is integrated into the Company's enterprise risk management processes. Each operating division considers cybersecurity risk as part of its development of divisional risk registers. The Company's Operational Risk Committee, which includes all divisional presidents, uses those divisional risk registers and the cybersecurity risk register, with support from the DGIS, to develop an operational risk register. The Company's Executive Risk Committee, which includes executive management, then uses the operational risk register as the foundation of the Company's enterprise risk register. From time to time, the Company utilizes third-party auditors and consultants to independently evaluate and test Dole's cybersecurity strategy, risk management, infrastructure and governance. The Company also utilizes third-party service providers for certain information systems requirements and employs systems and processes designed to oversee, identify and reduce the potential impact of a security incident at a third-party service provider or otherwise implicating the third-party technology and systems we use. In particular, cybersecurity risk assessments and the evaluation of controls related to the prevention and detection of cybersecurity incidents related to the use of third-party service providers are integrated into our global internal controls over financial reporting and information technology general control frameworks. External experts, combined with our internal teams and frameworks, are used to support the Company's ability to identify, detect, protect against, respond to and recover from cybersecurity incidents. The Company experienced a cybersecurity incident in 2023. In response, the Company engaged third-party providers to assist with investigation of the incident, including Dole's readiness and response, and the Company has been implementing resulting recommendations as appropriate. The Company does not believe that any risks from cybersecurity threats, including as a result of the 2023 incident, are reasonably likely to have materially affected or are reasonably likely to materially affect the Company over the long term. For more information, please see " Item 1A. Risk Factors-We are subject to risks relating to our handling of information, operation of our information systems, and the information systems of third parties ." Governance The DGIS has responsibility for the design and implementation of the Company's global information security strategy, in addition to ensuring that appropriate tools and monitoring are in place. The DGIS works directly with the individuals responsible for cybersecurity embedded within the Company's operating divisions and has a direct line of communication with these individuals for all cybersecurity related matters, including the cybersecurity risk identification, assessment and management process and the prevention, detection, mitigation and remediation of cybersecurity incidents. The DGIS has over two decades of experience in information technology and related fields, including information technology management, internal audit, data protection and cybersecurity, and previously served as the Global Information Security Director for Legacy Dole. The Company has developed formal information and communication channels for cybersecurity incidents to be reported to the IT Steering Committee. In the case of a cybersecurity incident, we prioritize incident response and containment of the threat, including mitigating the threat's impact on business operations and minimizing the risk of data theft and loss. The Audit Committee is responsible for reviewing the Company's guidelines and policies governing the process by which senior management of the Company, including the DGIS, and the relevant departments of the Company, assess and manage the Company's exposure to risk. The Board of Directors is responsible for overseeing the assessment and management of cybersecurity risk exposures, including discussing with management such risk exposures and the steps management has taken to monitor and control such exposures. The Executive Risk Committee reports annually to the Audit Committee on its work in developing the global risk register, including reporting on the final risk register. As discussed above, cybersecurity risk assessment is part of that process. The Board of Directors is responsible for reviewing the measures implemented by the Company to identify and mitigate risks from cybersecurity threats. As part of such reviews, the Board of Directors receives reports and presentations from members of our team responsible for overseeing the Company's cybersecurity risk management, including the IT Steering Committee, represented by the Chief Operating Officer and Chief Financial Officer, and the DGIS.

Company Information