Cybersecurity is a shared responsibility across the entire organization, led by our Chief Information and Digital Officer, who provides quarterly updates to the Audit Committee and updates twice annually to the Board of Directors. In addition, Greif’s cyber team conducts periodic security maturity assessments and roadmap updates to ensure our program continues to meet Greif’s needs and aligns with industry best practices.

We utilize a security dashboard to share with executives, our Enterprise Risk Management Team and the Board. The dashboard tracks our performance using the National Institute of Standards and Technology Cybersecurity Framework as a reference. We also maintain a cybersecurity incident response plan and a global business continuity plan, which outline our steps to respond to and mitigate impacts in the case of an incident.

Greif maintains internal policies to safeguard our data, including our Records Management and Retention Policy, Data Privacy Policy, Information Security Policy and IT Procurement and Spend Policy, all of which guide our data security practices in alignment with industry frameworks and regulations such as Sarbanes-Oxley and the EU General Data Protection Regulation (GDPR). Greif’s IT team conducts annual audits against these policies for Sarbanes-Oxley-related IT control processes and assigns training to colleagues on GDPR and data privacy concepts to ensure we meet or exceed policy and regulatory requirements. In 2023, our global colleagues received data privacy training covering the elements of GDPR and other relevant privacy regulations. Colleagues in roles where the handling of personal data is more common—such as Human Resources or IT roles—received additional details about our expectations and our commitment to protecting personal information. Approximately 93 percent of relevant colleagues completed the data privacy training in 2023.

Each month, members from Cybersecurity, Human Resources and the Legal Department meet to monitor and discuss regulatory changes in data privacy and review actions required to ensure compliance. We also partner with industry and regional associations and consortiums to support knowledge sharing involving regulations, emerging technology issues and cybersecurity best practices.

To protect customer and colleague data, we follow a need-to-know model to limit the number of people with access to secure information internally and externally. Additionally, to ensure sound management of confidential data, we obtain consent through agreements and contractual clauses and comply with all relevant regulations. We implement software solutions to protect and encrypt our endpoints to limit our exposure to potential data breaches, and we continue to educate colleagues on our Records Management and Retention and Data Privacy policies. Additionally, we routinely and securely destroy hardware and hard copies of confidential information with verified service providers.

Cybersecurity and awareness training enables our colleagues to identify and respond to potential threats and minimize digital and physical risks. We train colleagues on personal information security, cybersecurity hygiene and general internet safety, among other topics. All colleagues with computer access – including our Executive Leadership Team – must complete the training. All administrative and professional colleagues are assigned the cyber and privacy training and 93 percent of assigned colleagues completed the training in 2023.

We supplement general security training with specific education on phishing. Our program includes monthly simulated phishing emails sent to our administrative and professional colleagues. These messages test their ability to identify and report suspicious messages. Those who are unsuccessful are assigned additional training to help them identify phishing risks.

Our colleagues also receive quarterly newsletters promoting cybersecurity awareness, weekly security tips on topics ranging from password security to avoiding phishing scams and connections to external security training content through Greif University. We also host an annual Cybersecurity Month awareness campaign each October.

We safeguard physical access at our facilities by installing tag readers and PIN code locks, and we require a bill of lading for each shipment picked up from our facilities. Additionally, tamper-resistant enclosures are used throughout the supply chain to give customers confidence that their products are protected and secure.

Greif provides various options for colleagues to report suspicious behavior, potential data breaches, phishing activity and other incidents. Greif’s Ethics Hotline is also available for all colleagues to report issues of concern.