HERBALIFE LTD. 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

HERBALIFE LTD. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 16:29:56 EST.

Filings

10-K filed on 2024-02-14

HERBALIFE LTD. filed an 10-K at 2024-02-14 16:29:56 EST
Accession Number: 0000950170-24-015266

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our Processes Regarding Cybersecurity Threats We apply a layered approach, or a defense-in-depth strategy to cybersecurity. This layered approach to security leverages governance, people, processes, and technology to provide our information technology ( IT ) teams with preventative measures and strategies such that they are prepared to respond to cybersecurity threats and incidents. We have process, controls and technology infrastructure to maintain, protect, and enhance existing systems and develop new systems as needed to keep pace with continuing changes in technology, evolving industry and regulatory standards, and emerging cybersecurity and data security risks. We collect, process, and analyze threat intelligence data from a variety of sources to understand motives, targets, and attack behaviors. Another aspect of our security program is vulnerability management, which includes, among other things, asset discovery and inventory, third-party vulnerability scanners, patch management and remediation, configuration management, as well as penetration testing. We have monitoring systems which are designed to identify potential cybersecurity events, including threats and incidents. These monitoring systems are managed by our Global Security Operations Center, which employs cybersecurity professionals in the United States and in certain foreign countries in which we operate to provide better coverage and response actions. We also use a Security Information and Event Management (SIEM) platform, providing real-time analysis of security alerts generated by applications and network hardware. This platform helps the Global Security Operations Center in monitoring and responding to security events. We have a multi-functional incident response plan which provides guidance in the event of a cybersecurity incident. The plan is managed by our Incident Management Team, which includes representation from our Global Security, Cybersecurity, Legal, and Finance departments, among others. The Incident Management Team is responsible for responding to an incident, including tasks such as identifying and assessing the nature of the incident, containing the incident, and coordinating with relevant departments. Depending on the nature or severity of the event, the Incident Management Team may escalate the matter to our Executive Leadership Team, which includes the Chief Executive Officer, Chief Operating Officer, Chief Information Security Officer, Chief Information Officer, Chief Financial Officer, General Counsel, and other executives. If necessary, the matter could be escalated to our Board of Directors or any appropriate Board committees. This structured governance approach is designed to manage cybersecurity incidents with participation and involvement with the appropriate levels of our organization. External and internal audits are conducted periodically to assess the effectiveness of our cybersecurity measures. These audits include an annual technology risk assessment by our Cybersecurity and IT departments. Our Internal Audit team also conducts cybersecurity risk assessments which include, among other things, evaluating governance of our cybersecurity processes and functions, assessing our ability to identify, validate and remediate vulnerabilities, and evaluating penetration studies. Results of our Internal Audit assessments are shared with our Enterprise Risk Management ( ERM ) team, our Technology Risk Committee, and in accordance with our governance structure which includes, among other things, the Audit Committee of our Board of Directors. We conduct vendor security assessments for key service providers as part of our vendor onboarding process and as part of our contract review process. The cybersecurity assessment process includes considerations from an industry leading third-party vendor security ratings company. Our standard agreements with third parties may include, among other provisions, compliance requirements, data protection standards, audit rights, and security incident notification requirements. A dedicated email account and hotline is in place for third parties to report security incidents. The email account and hotline are monitored 24/7/365 by our Global Security Operations Center. Notice of a third-party security incident could trigger the activation of our incident response plan, as further described above. Cybersecurity Governance and Risk Management Systems Our risk management system includes several risk management functions that support our processes for identifying, assessing, and controlling risks to our business, including cybersecurity risks. Our cybersecurity risk management process is integrated with our overarching risk management system, led by our ERM team, and further guided by our Technology Risk Committee. Our Technology Risk Committee is responsible for approving the effectiveness of our cybersecurity risk framework and assisting with the oversight of decisions that affect compliance with applicable legal and regulatory matters and corporate policies. As part of the management oversight structure, the ERM team provides our Management Risk Committee with periodic updates on key risk conditions, strategy and mitigation efforts. 41 Our cybersecurity risk management process, which encompasses continuous monitoring and periodic assessments, is designed to identify and mitigate cybersecurity threats and vulnerabilities. These efforts are aligned with the broader objectives of our ERM team and are continuously reviewed and refined in consultation with our Technology Risk Committee. A key aspect of this integrated framework is the role of our Internal Audit team, which serves as an independent, objective assurance function tasked with evaluating the effectiveness of risk management, internal controls, and our governance processes. Communication channels between our cybersecurity teams and other risk management personnel are established to facilitate the timely sharing of information about potential cyber threats. For example, our Data Protection and Information Security working group, which includes representation by our Chief Information Security Officer (who reports directly to our COO) and CIO, and our Legal, ERM, Information Governance and Finance departments, among others, meets regularly to discuss key risks, strategies and threats related to information security. Our Board of Directors administers a risk oversight function through its Audit Committee, and is supported by our ERM team, including on matters related to cybersecurity risks. This management reporting is designed to give our Board of Directors visibility over our operations and activities to adequately identify key risks, including among other things, cybersecurity risks, and understand management s risk mitigation strategies. Our Cybersecurity department is staffed with professionals holding a variety of IT, cybersecurity and audit best practice certifications, including, among others, Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified Cloud Security Professional (CCSP), International Organization for Standardization 27001 Lead Auditor Certification (ISO 27001 LA), Certified Information Privacy Professional (IAPP CIPP/CIPM), Alibaba Cloud s Cloud Security Certification (Ali-ACP), and Certified in Risk and Information Systems Control (CRSC). Our Cybersecurity department also has a training and development program in place so that appropriate skillsets are maintained and/or acquired, and professional certifications remain current. Our cybersecurity teams are supported by training programs and a dedicated learning management system, Herbalife University, whereby all Herbalife employees receive mandatory security awareness training. Specialized training is also assigned to certain functions based on job responsibilities. Training content is purchased from multiple well-recognized third parties. In addition to assigned training, Herbalife University offers additional information security related courses available to all employees on demand. Our cybersecurity program also engages a variety of consultants, auditors and other third parties to support and assist with implementing and maintaining appropriate security measures. Any number of third parties may be engaged to assist in response actions, including, among others, intelligence providers, product, software and service providers and advisors. Professional services, or consultants, are engaged as needed to help implement, support or advise on a variety of technical matters. Legal counsel, law enforcement and external auditors are also consulted as needed. We have already identified and, in some cases, engaged, third-party experts to allow for quicker engagement if a cybersecurity incident occurs in the future. Risks from Cybersecurity Threats As of December 31, 2023 and as of the date of this filing, we are not aware of any risks from cybersecurity threats, including any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or nancial condition. This statement does not guarantee that future incidents or threats will not have a material impact or that we are not currently the subject of an undetected incident or threat that may have such an impact. 42

Company Information