Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Feb. 28, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
Cybersecurity risk management and strategy
We have developed and implemented an enterprise-wide cybersecurity program designed to provide structured and thorough cybersecurity risk management and governance. Our cybersecurity program prioritizes, among other things, prevention of unauthorized access; protection of confidential, personal, or sensitive information; cyber threat detection, assessment, and response; and continuous improvement of our cybersecurity measures. We seek to achieve our cybersecurity program priorities through a multi-pronged approach to address cyber threats and incidents that includes implementation of various industry best practices, proactive monitoring of our IT systems, ongoing employee training, and regular risk assessments. We also maintain cyber insurance coverage to help mitigate a portion of the potential costs in the event of covered events.
Our cybersecurity program is aligned with various frameworks for managing cybersecurity risks, such as the National Institute of Standards and Technology Cyber Security Framework for IT systems and International Electrotechnical Commission 62443 which governs cybersecurity for Industrial Control Systems. This program is integrated into our ERM processes. Our ERM function manages enterprise-wide risk and has established a governance structure in charge of continuous risk management. It has defined risk management processes related specifically to cybersecurity, which include targeted cyber risk reviews, annual cyber risk assessments over our IT and operations, and integration with our information security function. We also have a Cyber and Privacy Risk Committee, led by our CISO, which provides strategic and actionable recommendations on cybersecurity topics, issues, and controls to our executive management team, and a Crisis Management Committee, led by our head of ERM, which manages significant cybersecurity events.
We rely upon both internal and external resources for evaluating and enhancing our cyber posture. At least annually, our information security and internal audit teams conduct extensive internal and external penetration testing, supplemented by more frequent Purple-team Tests that are designed to identify critical areas of our technical environment and potential vulnerabilities that may need to be addressed. Our information security team also retains external cybersecurity firms to review and provide feedback on improving our cybersecurity program, including in the areas of data protection, threat and vulnerability management, and end-point protection. We conduct a range of activities to assess our cybersecurity preparedness and processes and to prepare for potential cyber incidents, including tabletop exercises, simulations, and practical application drills with internal teams and external entities. We also require annual cybersecurity training by our employees, conduct regular exercises to help our employees recognize phishing attempts and other social engineering tactics, and provide various methods for employees to report suspicious activity that may give rise to a cyber incident or threat. Significant results of such testing and reviews are communicated to our executive management team and our Audit Committee, as applicable, and are utilized in our cybersecurity program’s continuous improvement process.
In response to the growing risks associated with third-party service providers, we have established review processes for assessing the technological and information security controls of our third-party suppliers to attempt to identify material cybersecurity risks associated with such providers, their IT systems, and their access to our IT systems that could significantly disrupt our operations. These processes encompass a range of measures, such as pre-engagement cybersecurity due diligence for providers who access our IT systems or information before their engagement, ongoing monitoring and evaluation of our providers, detailed examination of available System and Organization Controls attestation reports, and inclusion of relevant contractual provisions in our agreements with third-party service providers with respect to areas including cyber protections, notifications, auditing, and risk allocation.
We maintain an IRP, which provides a set of core practices and procedures when responding to certain high-risk information security threats and incidents, and a CMP, which is designed to ensure appropriate resources are utilized to provide an effective, timely, and coordinated response in managing crises, including significant cyber threats and incidents. Among other things, the IRP sets forth roles and responsibilities in connection with detecting, assessing, and mitigating cybersecurity incidents and outlines applicable communication and escalation
protocols. Under the CMP, our Crisis Management Committee will assume overall responsibility in an effort to ensure that the appropriate functions and work streams are mobilized and coordinated to effectively manage any significant cyber events.
As with all large IT systems, we have been a target of cyberattackers and other hacking activities, as have certain of our third-party service providers. While our cybersecurity program is designed to prevent unauthorized access and protect sensitive information, including through continuous improvement of our cybersecurity measures, and we have not experienced any material cyber threats or incidents to date, we can give no assurance that we will be able to prevent, identify, respond to, or mitigate the impacts of all cyber threats or incidents. To the extent future cyber threats or incidents result in significant disruptions and costs to our operations, reduce the effectiveness of our internal control over financial reporting, or otherwise substantially impact our business, it could have a material adverse effect on our business, liquidity, financial condition, and/or results of operations. For additional discussion on our cybersecurity risks, refer to Item 1A. “Risk Factors” of this Form 10-K.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] |
We have developed and implemented an enterprise-wide cybersecurity program designed to provide structured and thorough cybersecurity risk management and governance. Our cybersecurity program prioritizes, among other things, prevention of unauthorized access; protection of confidential, personal, or sensitive information; cyber threat detection, assessment, and response; and continuous improvement of our cybersecurity measures. We seek to achieve our cybersecurity program priorities through a multi-pronged approach to address cyber threats and incidents that includes implementation of various industry best practices, proactive monitoring of our IT systems, ongoing employee training, and regular risk assessments. We also maintain cyber insurance coverage to help mitigate a portion of the potential costs in the event of covered events.
Our cybersecurity program is aligned with various frameworks for managing cybersecurity risks, such as the National Institute of Standards and Technology Cyber Security Framework for IT systems and International Electrotechnical Commission 62443 which governs cybersecurity for Industrial Control Systems. This program is integrated into our ERM processes. Our ERM function manages enterprise-wide risk and has established a governance structure in charge of continuous risk management. It has defined risk management processes related specifically to cybersecurity, which include targeted cyber risk reviews, annual cyber risk assessments over our IT and operations, and integration with our information security function. We also have a Cyber and Privacy Risk Committee, led by our CISO, which provides strategic and actionable recommendations on cybersecurity topics, issues, and controls to our executive management team, and a Crisis Management Committee, led by our head of ERM, which manages significant cybersecurity events.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Board of Directors Oversight [Text Block] |
Cybersecurity governance
Our Board of Directors oversees the management of risks inherent in the operation of our business, with a focus on the most significant risks that we face, including those related to cybersecurity. The Board of Directors has delegated oversight of cybersecurity, including privacy and information security, as well as enterprise risk management to the Audit Committee. In connection with that oversight responsibility, our CIO and CISO meet with the Audit Committee on a quarterly basis and provide information and updates on a range of cybersecurity topics which may include our cybersecurity program and governance processes; cyber risk monitoring and management; the status of projects to strengthen our cybersecurity and privacy capabilities; recent significant incidents or threats impacting our operations, industry, or third-party suppliers; and the emerging threat landscape. Our head of ERM also meets with our executive management team and the Audit Committee on a quarterly basis and with the Board of Directors on an annual basis and reports on applicable cyber risk management processes and activities pertinent to the ERM function. The Audit Committee has also periodically participated in certain of our cyber tabletop exercises.
Our enterprise-wide cybersecurity program is managed by a dedicated information security team, including our Cyber and Privacy Risk Committee described above, led by our CISO. Our CISO has more than 25 years of technology experience across various disciplines, including 15 years of experience as a CISO in the financial, manufacturing, and CPG industries. He has led our global information security organization for more than five years. In addition to his employment experience in the cybersecurity field, our CISO has a Master of Business Administration in management and operations and a Bachelor’s Degree in technology management, and he has served on corporate and industry advisory boards related to cybersecurity, all of which have provided him with skills and experience to manage our global information security function. Our CISO reports to our CIO, who meets regularly with other members of our executive team and provides relevant updates on our cybersecurity program.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | Our Board of Directors oversees the management of risks inherent in the operation of our business, with a focus on the most significant risks that we face, including those related to cybersecurity. The Board of Directors has delegated oversight of cybersecurity, including privacy and information security, as well as enterprise risk management to the Audit Committee. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | In connection with that oversight responsibility, our CIO and CISO meet with the Audit Committee on a quarterly basis and provide information and updates on a range of cybersecurity topics which may include our cybersecurity program and governance processes; cyber risk monitoring and management; the status of projects to strengthen our cybersecurity and privacy capabilities; recent significant incidents or threats impacting our operations, industry, or third-party suppliers; and the emerging threat landscape. Our head of ERM also meets with our executive management team and the Audit Committee on a quarterly basis and with the Board of Directors on an annual basis and reports on applicable cyber risk management processes and activities pertinent to the ERM function. The Audit Committee has also periodically participated in certain of our cyber tabletop exercises. |
| Cybersecurity Risk Role of Management [Text Block] | Our enterprise-wide cybersecurity program is managed by a dedicated information security team, including our Cyber and Privacy Risk Committee described above, led by our CISO. |
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our CISO has more than 25 years of technology experience across various disciplines, including 15 years of experience as a CISO in the financial, manufacturing, and CPG industries. He has led our global information security organization for more than five years. In addition to his employment experience in the cybersecurity field, our CISO has a Master of Business Administration in management and operations and a Bachelor’s Degree in technology management, and he has served on corporate and industry advisory boards related to cybersecurity, all of which have provided him with skills and experience to manage our global information security function. Our CISO reports to our CIO, who meets regularly with other members of our executive team and provides relevant updates on our cybersecurity program |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |