|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
May 25, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
Assessing, Identifying and Managing Material Risks
Our cybersecurity program is focused on assessing, identifying, and managing risks arising out of our use of information technology including the risk of cybersecurity incidents and threats. Our program is informed by recognized frameworks (such as the U.S. Department of Commerce’s National Institute of Standards and Technology Cybersecurity Framework) and leverages external and internal expertise, as appropriate. Our program is integrated into our operations and is widely communicated to employees through annual employee and contractor cybersecurity awareness training, regular awareness exercises, and employee outreach activities including cybersecurity tech talks, on-site digital signage, intranet resources, CEO cybersecurity champion recognition at quarterly town hall meetings, and other targeted communications. These awareness measures are coupled with ongoing implementation of technology aimed to reduce vulnerabilities (including external testing and validation) and to monitor and assess threats. Our program includes monitoring on an ongoing basis by automated tools that detect threats and trigger alerts for assessment, investigation, and remediation by our internal cybersecurity team.
Integration with Enterprise Risk Management
The cybersecurity program is an important part of the Company’s enterprise risk management (ERM), with our Senior Vice President & Chief Information Officer serving on our ERM Committee and our Vice President of ERM serving as the strategic crisis management coordinator under our cybersecurity incident response plan. We have developed processes for managing cybersecurity
incidents including clear allocation of responsibilities and defined incident classifications, escalation requirements based on materiality, and prioritization parameters. Our cybersecurity incident response plan is integrated into our ERM Committee risk mitigation action plan process, our Senior Leadership Team (SLT) strategic crisis management action plan process, and our Disclosure Committee protocol for cybersecurity incidents. We also maintain business continuity and disaster recovery plans to prepare for potential information technology disruptions.
Cybersecurity Program Components
Our cybersecurity program structure consists of our cybersecurity operations center; identity and access management; governance, risk, and compliance; architecture; and operational technology. Aspects of our program include:
Learnings from these activities are used to inform our training, guide our incident response preparedness and enhance our plans and processes. To further inform our cybersecurity program, we also participate in discussions with third-party service providers who have experienced cybersecurity incidents.
Investment in Cybersecurity Program
The cybersecurity threat landscape is dynamic and volatile, and requires significant investment on the part of the Company in several key areas including investing in our employees through talent recruitment, retention, training and development, investing in external resources including procuring and deploying the correct tools to monitor, evaluate, and address threats, investing employee resources to maintain effective processes, and investing in strategic relationships to monitor evolving risks including third-party service provider vulnerabilities. While our third-party service providers have experienced cybersecurity incidents and we have experienced threats to our data and systems, to date, we are not aware that we have experienced a breach that had a material impact on our operations or business, however, cybersecurity risks that may materially impact the Company are discussed in more detail in Item 1A of Part I, “Risk Factors,” under the heading “Cybersecurity and Information Technology Risks,” which should be read in conjunction with the foregoing information.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Assessing, Identifying and Managing Material Risks
Our cybersecurity program is focused on assessing, identifying, and managing risks arising out of our use of information technology including the risk of cybersecurity incidents and threats. Our program is informed by recognized frameworks (such as the U.S. Department of Commerce’s National Institute of Standards and Technology Cybersecurity Framework) and leverages external and internal expertise, as appropriate. Our program is integrated into our operations and is widely communicated to employees through annual employee and contractor cybersecurity awareness training, regular awareness exercises, and employee outreach activities including cybersecurity tech talks, on-site digital signage, intranet resources, CEO cybersecurity champion recognition at quarterly town hall meetings, and other targeted communications. These awareness measures are coupled with ongoing implementation of technology aimed to reduce vulnerabilities (including external testing and validation) and to monitor and assess threats. Our program includes monitoring on an ongoing basis by automated tools that detect threats and trigger alerts for assessment, investigation, and remediation by our internal cybersecurity team.
Integration with Enterprise Risk Management
The cybersecurity program is an important part of the Company’s enterprise risk management (ERM), with our Senior Vice President & Chief Information Officer serving on our ERM Committee and our Vice President of ERM serving as the strategic crisis management coordinator under our cybersecurity incident response plan. We have developed processes for managing cybersecurity
incidents including clear allocation of responsibilities and defined incident classifications, escalation requirements based on materiality, and prioritization parameters. Our cybersecurity incident response plan is integrated into our ERM Committee risk mitigation action plan process, our Senior Leadership Team (SLT) strategic crisis management action plan process, and our Disclosure Committee protocol for cybersecurity incidents. We also maintain business continuity and disaster recovery plans to prepare for potential information technology disruptions.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Our Board and its Audit/Finance Committee exercises oversight over our enterprise risk management including our cybersecurity program.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Board of Directors and its Audit/Finance Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our Board and its Audit/Finance Committee exercises oversight over our enterprise risk management including our cybersecurity program. The Audit/Finance Committee receives updates from our CIO or CISO at each of its regularly scheduled meetings regarding matters related to information technology and cybersecurity including the state of the Company’s cybersecurity programs, emerging cybersecurity developments and threats, and the Company’s strategy to mitigate cybersecurity risks. Additionally, our full Board receives reports on our cybersecurity program at least annually which includes a review of our cybersecurity incident response plans which are described above.
|Cybersecurity Risk Role of Management [Text Block]
|
General
Our management is responsible for identifying, assessing, and managing our exposure to cybersecurity risk. Management identifies and assesses risks through its cross functional ERM committee that is responsible for:
Our Board of Directors and its Audit / Finance Committee play an active part in overseeing cybersecurity risks relevant to the Company. The Board and its Audit / Finance Committee routinely receive reports from our management and external advisors on critical risk areas.
Management
The Company maintains a dedicated internal cybersecurity team that is supported by internal and external software, third-party experts, and threat intelligence resources. Members of our cybersecurity team provide cybersecurity reports to our Board, SLT, and cross-functional leaders and teams. The internal cybersecurity team is responsible for implementing our cybersecurity strategy including policies, standards, architecture, and processes including our processes for identifying cybersecurity risks and threats and recommending mitigating actions to strengthen cybersecurity resilience. In addition, our internal cybersecurity team is responsible for managing detection, mitigation, and remediation of all cybersecurity incidents.
Conagra’s Cybersecurity Team is led by our Chief Information Security Officer (CISO). Our CISO, a certified information security professional, has more than 25 years of cybersecurity leadership experience across multiple industries and holds a Doctor of Science (DSc) degree in Cybersecurity. The CISO reports to our Chief Information Officer (CIO), who has been with Conagra for more than 20 years serving in various leadership roles in information technology, finance, and business services. We believe our CIO possesses a firm understanding of the Company’s cybersecurity landscape, risks, and knowledge of the capabilities of our cybersecurity and information systems personnel.
Additionally, members of our internal cybersecurity team have experience in cybersecurity risk management, threat monitoring, threat emulation, penetration testing, cyber incident response management, and data protection. Team members have both individual responsibilities and a team focus, and manage both internal and third-party cybersecurity risk mitigation, covering areas such as network, endpoint device, and e-mail security as well as operations and threat management, monitoring, and response. Our CISO, CIO and CFO are responsible for determining that the Company has appropriate people, process and technology capabilities to identify, mitigate and report on cybersecurity risks to the SLT and Board of Directors.
Our cybersecurity incident response plan provides that our ERM, strategic crises management coordinator is informed about significant cybersecurity incidents for escalation to our internal Incident Disclosure Committee, SLT, and Board, as appropriate in accordance with our strategic crisis management action plan. Our cybersecurity incident response team is responsible for maintaining our cybersecurity incident response plan, which is periodically tested through our tabletop exercises. We have involved outside experts, our strategic crises management coordinator, members of our SLT, and members of our Incident Disclosure Committee in our tabletop exercises and preparedness drills to strengthen these response plans.
Additionally, our Corporate Cybersecurity Steering Committee, chaired by the CISO and whose members include our Senior Vice President, Corporate Controller (our principal accounting officer), as well as other members of the information technology, finance, supply chain, security and facilities, research and development, product, human resources, and legal teams, meets regularly to provide a forum for senior leaders and key stakeholders to strengthen their understanding and strategize on managing cybersecurity challenges at the Company.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Chief Information Security Officer (CISO)
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO, a certified information security professional, has more than 25 years of cybersecurity leadership experience across multiple industries and holds a Doctor of Science (DSc) degree in Cybersecurity.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Additionally, members of our internal cybersecurity team have experience in cybersecurity risk management, threat monitoring, threat emulation, penetration testing, cyber incident response management, and data protection. Team members have both individual responsibilities and a team focus, and manage both internal and third-party cybersecurity risk mitigation, covering areas such as network, endpoint device, and e-mail security as well as operations and threat management, monitoring, and response. Our CISO, CIO and CFO are responsible for determining that the Company has appropriate people, process and technology capabilities to identify, mitigate and report on cybersecurity risks to the SLT and Board of Directors.
Our cybersecurity incident response plan provides that our ERM, strategic crises management coordinator is informed about significant cybersecurity incidents for escalation to our internal Incident Disclosure Committee, SLT, and Board, as appropriate in accordance with our strategic crisis management action plan. Our cybersecurity incident response team is responsible for maintaining our cybersecurity incident response plan, which is periodically tested through our tabletop exercises. We have involved outside experts, our strategic crises management coordinator, members of our SLT, and members of our Incident Disclosure Committee in our tabletop exercises and preparedness drills to strengthen these response plans.
Additionally, our Corporate Cybersecurity Steering Committee, chaired by the CISO and whose members include our Senior Vice President, Corporate Controller (our principal accounting officer), as well as other members of the information technology, finance, supply chain, security and facilities, research and development, product, human resources, and legal teams, meets regularly to provide a forum for senior leaders and key stakeholders to strengthen their understanding and strategize on managing cybersecurity challenges at the Company.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef