|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 29, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Our process for assessing, identifying, and managing material risks from cybersecurity threats is integrated into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. Our cybersecurity organization continually evaluates and addresses cybersecurity risk in alignment with our business objectives to address the evolving regulatory landscape and emerging risks, including those resulting from geopolitical shifts and technological innovations such as the growth of cloud technologies and artificial intelligence. We maintain a formal cybersecurity training program, including annual trainings for all Kenvuers, covering, among other topics, phishing, email security, and data privacy. We employ automation, and we also engage our internal audit function and a range of external consultants and other expert third parties in connection with the evaluation and management of cybersecurity risk and the maturation of our cybersecurity program.
Our cybersecurity organization assesses, monitors, and manages cybersecurity risk through technical, physical, and administrative controls, including implementing cybersecurity policies, procedures, and strategies, with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while increasing our system resilience in an effort to minimize business impact should an incident occur. The underlying controls of the cybersecurity risk management program are based on
recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology Cybersecurity Framework. In addition, we maintain a Data Incident Response Program, which is designed to identify, assess, manage, and report significant data incidents, including those reasonably likely to affect our business strategy, results of operations, or financial condition. In the event of a cybersecurity incident, our cybersecurity team assesses, among other factors, safety impact, supply chain and manufacturing disruption, data and personal information loss, business operations disruption, projected cost, and potential for reputational harm, with support from external technical and legal advisors and law enforcement, as appropriate. The Data Incident Response Program outlines the steps to be followed from incident detection to mitigation, recovery, and notification, including notifying functional areas, senior management, and the Company’s Disclosure Committee or a sub-committee thereof as appropriate. The Disclosure Committee or a sub-committee thereof will consider the materiality of an incident elevated by the Data Incident Response Program, inform our Board and other key stakeholders as appropriate, and determine the Company’s reporting obligation on a timely basis. Our organization tests and monitors these processes, including through table-top exercise testing with senior leaders.
We rely heavily on our supply chain to deliver our products to our customers and consumers, and a cybersecurity incident at a supplier or partner could materially adversely impact us. As such, we have processes in place to oversee and identify risks from cybersecurity threats associated with suppliers and our use of third-party service providers, including through our Supplier Cyber Risk Assessment process, which assesses third-party cybersecurity controls through a combination of risk assessment questionnaires, commercially available risk data, and proprietary algorithms. We also include security and privacy addendums to our contracts where applicable. We require that our suppliers and partners report cybersecurity incidents to us so that we can assess the impact of such an incident on us and have dedicated processes to respond to cybersecurity incidents at third parties.
Risks from cybersecurity threats did not materially affect our results of operations or financial condition during the fiscal twelve months ended December 29, 2024.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our cybersecurity organization assesses, monitors, and manages cybersecurity risk through technical, physical, and administrative controls, including implementing cybersecurity policies, procedures, and strategies, with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while increasing our system resilience in an effort to minimize business impact should an incident occur.
Cybersecurity-related risks are one of the key risks contemplated by our Enterprise Risk Management (“ERM”) Framework. The ERM Framework informs our strategic planning activities through a collaborative risk management environment that proactively identifies and prioritizes our strategic, preventable, and external risks (including new or changing regulations). The ERM Framework enables a clear understanding of the top risks and the exposure they have to our performance and strategic decisions. The ERM Framework is reviewed annually as part of a risk assessment that is presented to our Board.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The ERM Framework is reviewed annually as part of a risk assessment that is presented to our Board.
Our ERM Framework describes the roles and responsibilities of the Integrated Risk Management Council, a cross-functional group of senior enterprise risk leaders, which meets regularly to review and discuss significant risk facing our business, including cybersecurity risk. Our Integrated Risk Management Council, which includes our Chief Information Security Officer (“CISO”), proactively identifies, assesses, and prioritizes key or emerging risks, which are then escalated to senior management as needed and, in the case of cybersecurity risk, reported to our Board’s Nominating, Governance & Sustainability Committee (the “NG&S Committee”) or our full Board.
The NG&S Committee is responsible for assisting our Board with respect to designated risk oversight matters, including privacy and cybersecurity. The NG&S Committee receives reports from, and meets at least twice a year and as needed with, the CISO and the Chief Privacy and Digital Officer (“CPDO”). The CISO and the CPDO inform the NG&S Committee, which in turn informs our Board, of risks from cybersecurity threats during such meetings. The NG&S Committee reports to our full Board following each of its regularly scheduled meetings at a minimum and reviews with our Board significant issues or concerns that arise at NG&S Committee meetings. In addition, in February 2025, the CISO and the CPDO reviewed with our Board the cybersecurity and privacy programs, the Data Incident Response Program, and the role of our Board related thereto.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The NG&S Committee is responsible for assisting our Board with respect to designated risk oversight matters, including privacy and cybersecurity. The NG&S Committee receives reports from, and meets at least twice a year and as needed with, the CISO and the Chief Privacy and Digital Officer (“CPDO”).
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The CISO and the CPDO inform the NG&S Committee, which in turn informs our Board, of risks from cybersecurity threats during such meetings. The NG&S Committee reports to our full Board following each of its regularly scheduled meetings at a minimum and reviews with our Board significant issues or concerns that arise at NG&S Committee meetings. In addition, in February 2025, the CISO and the CPDO reviewed with our Board the cybersecurity and privacy programs, the Data Incident Response Program, and the role of our Board related thereto.
|Cybersecurity Risk Role of Management [Text Block]
|
Cybersecurity-related risks are one of the key risks contemplated by our Enterprise Risk Management (“ERM”) Framework. The ERM Framework informs our strategic planning activities through a collaborative risk management environment that proactively identifies and prioritizes our strategic, preventable, and external risks (including new or changing regulations). The ERM Framework enables a clear understanding of the top risks and the exposure they have to our performance and strategic decisions. The ERM Framework is reviewed annually as part of a risk assessment that is presented to our Board.Our ERM Framework describes the roles and responsibilities of the Integrated Risk Management Council, a cross-functional group of senior enterprise risk leaders, which meets regularly to review and discuss significant risk facing our business, including cybersecurity risk. Our Integrated Risk Management Council, which includes our Chief Information Security Officer (“CISO”), proactively identifies, assesses, and prioritizes key or emerging risks, which are then escalated to senior management as needed and, in the case of cybersecurity risk, reported to our Board’s Nominating, Governance & Sustainability Committee (the “NG&S Committee”) or our full Board.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our CISO leads a global cybersecurity organization, which develops our strategic cybersecurity priorities and executes operational plans.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO has over 25 years of cybersecurity experience in the healthcare, finance, and telecommunications industries and in government. Prior to his role at Kenvue, our CISO spent over 10 years at J&J in cybersecurity, and he retired from the United States Air Force Reserves in 2018 as a Lieutenant Colonel, where he had responsibility for cybersecurity. He is a Certified Information Systems Security Professional and holds a Masters in Telecommunications Management from the University of Maryland, University College and a Directorship Certification from the National Association of Corporate Directors. Our CPDO has over 10 years of privacy and digital legal experience. Prior to his role at Kenvue, our CPDO worked for over 15 years in J&J’s Law Department. He also worked as a lawyer in private practice at the law firm Linklaters LLP, in industry associations, and in government, and he acted as Vice Chair of the Consumer Goods Privacy+ Consortium, an association developing compliance strategies and best practices to meet requirements of global privacy laws. He holds a Juris Doctor from Luiss Guido Carli University (Rome, Italy) and a Master of Laws in European Law and Economic Analysis from the College of Europe (Bruges, Belgium). The other members of the cybersecurity organization have decades of experience
selecting, deploying, and operating cybersecurity technologies, initiatives, and processes around the world, and rely on threat intelligence as well as other information obtained from governmental, public, or private sources, including external consultants.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|In addition, we maintain a Data Incident Response Program, which is designed to identify, assess, manage, and report significant data incidents, including those reasonably likely to affect our business strategy, results of operations, or financial condition. In the event of a cybersecurity incident, our cybersecurity team assesses, among other factors, safety impact, supply chain and manufacturing disruption, data and personal information loss, business operations disruption, projected cost, and potential for reputational harm, with support from external technical and legal advisors and law enforcement, as appropriate. The Data Incident Response Program outlines the steps to be followed from incident detection to mitigation, recovery, and notification, including notifying functional areas, senior management, and the Company’s Disclosure Committee or a sub-committee thereof as appropriate. The Disclosure Committee or a sub-committee thereof will consider the materiality of an incident elevated by the Data Incident Response Program, inform our Board and other key stakeholders as appropriate, and determine the Company’s reporting obligation on a timely basis. Our organization tests and monitors these processes, including through table-top exercise testing with senior leaders.
Our ERM Framework describes the roles and responsibilities of the Integrated Risk Management Council, a cross-functional group of senior enterprise risk leaders, which meets regularly to review and discuss significant risk facing our business, including cybersecurity risk. Our Integrated Risk Management Council, which includes our Chief Information Security Officer (“CISO”), proactively identifies, assesses, and prioritizes key or emerging risks, which are then escalated to senior management as needed and, in the case of cybersecurity risk, reported to our Board’s Nominating, Governance & Sustainability Committee (the “NG&S Committee”) or our full Board.
The NG&S Committee is responsible for assisting our Board with respect to designated risk oversight matters, including privacy and cybersecurity. The NG&S Committee receives reports from, and meets at least twice a year and as needed with, the CISO and the Chief Privacy and Digital Officer (“CPDO”). The CISO and the CPDO inform the NG&S Committee, which in turn informs our Board, of risks from cybersecurity threats during such meetings. The NG&S Committee reports to our full Board following each of its regularly scheduled meetings at a minimum and reviews with our Board significant issues or concerns that arise at NG&S Committee meetings. In addition, in February 2025, the CISO and the CPDO reviewed with our Board the cybersecurity and privacy programs, the Data Incident Response Program, and the role of our Board related thereto.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef