Hanesbrands Inc. 10-K Cybersecurity GRC - 2024-02-16

Page last updated on April 11, 2024

Hanesbrands Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-16 10:16:43 EST.

Filings

10-K filed on 2024-02-16

Hanesbrands Inc. filed an 10-K at 2024-02-16 10:16:43 EST
Accession Number: 0001359841-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy As a part of the Company’s overall risk management and compliance programs, we have developed an enterprise cybersecurity program designed to detect, identify, classify and mitigate cybersecurity and other data security threats. Our enterprise cybersecurity program classifies potential threats by risk levels and we typically prioritize our threat mitigation efforts based on those risk classifications, while focusing on maintaining the resiliency of our systems. In recent years, we have increased our investments in our ability to detect, identify, classify and mitigate cybersecurity and other data privacy risks within our environment. In the event we identify a potential cybersecurity, privacy or other data security issue, we have defined procedures for responding to such issues, including procedures that address when and how to engage with Company management, our Board of Directors, other stakeholders and law enforcement when responding to such issues. Additionally, our cybersecurity program is regularly audited by independent third parties, and we incorporate regular information security training as part of our employee education and development program. We maintain cybersecurity insurance as part of our comprehensive insurance portfolio. Because we are aware of the risks associated with third-party service providers, we also have implemented robust processes to oversee and manage these risks. We conduct security assessments of third-party providers before engagement and maintain ongoing monitoring to help ensure compliance with our cybersecurity standards. In addition, we perform periodic risk assessments of key vendors. This approach is designed to mitigate risks related to potential data breaches or other security incidents originating from or at third-party service providers. 25 Table of Contents We also understand the importance of collecting, storing, using, sharing and disposing of personal information in a manner that complies with all applicable laws. Our policies provide explanations of the types of information we collect, how we use and share information, and generally describe the measures we take to protect the security of that information. Our policies also describe how customers may initiate inquiries and raise concerns regarding the collection, storage, sharing and use of their personal data. Some of the other steps we have taken to detect, identify, classify and attempt to mitigate data security and privacy risks include: Adopting and periodically reviewing and updating information security and privacy policies and procedures; Conducting targeted audits and penetration tests throughout the year, using both internal and external resources; Conducting security maturity posture assessments, including engaging an industry-leading, nationally-known third party to independently evaluate our information security maturity on a regular basis; Utilizing industry-standard technologies, processes, and capabilities designed to protect our systems and data and detect potential suspicious activity; Adopting a vendor risk management program, which includes cybersecurity and data privacy audits, classifying vendor, service provider or business partner risk based on several factors and evaluating and monitoring related risk mitigation efforts; Providing security and privacy training and awareness to our employees; Conducting periodic phishing simulations to test our employees’ responses to suspicious emails and to inform targeted cyber awareness training; and Maintaining cyber liability insurance. We have experienced targeted and non-targeted cybersecurity attacks and incidents in the past, and we could in the future experience similar attacks. For additional information regarding the ransomware attack we announced on May 31, 2022, see the section captioned Overview - Ransomware Attack under Part II, Item 7 Management s Discussion and Analysis of Financial Condition and Results of Operations below. Other than this ransomware attack, as of the date of this report and for the years presented, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected us, our business strategy, results of operations or financial condition. For additional information regarding the risks from cybersecurity threats we face, see the section captioned Operational Risks - Any inadequacy, interruption, integration failure or security breach with respect to our information technology could harm our ability to effectively operate our business and have a material adverse effect on our business, results of operations, financial condition and cash flows under Part I, Item 1A Risk Factors above. Governance Our Board of Directors recognizes the important role of information security and mitigating cybersecurity and other data security threats, as part of our efforts to protect and maintain the confidentiality and security of customer, employee and vendor information, as well as non-public information about our Company. Although the Board as a whole is ultimately responsible for the oversight of our risk management function, the Board uses its committees to assist in its risk oversight function. The Audit Committee of our Board of Directors has primary responsibility for oversight of risk assessment and risk management, including risks related to cybersecurity and other technology issues. The Board regularly reviews our cybersecurity and other technology risks, controls and procedures. The Board receives reports from our Chief Executive Officer and Chief Information Officer at least twice annually regarding our cybersecurity framework, as well as our plans to mitigate cybersecurity risks and to respond to any data breaches. In addition, our cybersecurity infrastructure is overseen by our Chief Information Security Officer, who reports to our Chief Information Officer. Our Chief Information Security Officer has served in various roles in information technology and information security for over 20 years, including most recently leading the information security function of McCormick & Company. He holds a Ph.D. in information assurance & security, along with industry certifications that include ISACA Certified Data Privacy Solutions Engineer and Certified Information Security Manager and EC-Council s Certified Chief Information Security Officer certification. Our Chief Information Officer reports to our Chief Executive Officer and has served in various roles in information technology and information security for over 25 years, including as head of enterprise architecture for VF Corporation. Our Chief Information Officer holds an MBA along with various industry certifications, including SAP Enterprise Architect certification and TOGAF certification. Furthermore, management of Hanesbrands prepares, and the Audit Committee reviews and discusses, an annual assessment of our risks on an enterprise-wide basis. We conduct a rigorous enterprise risk management program that is updated 26 Table of Contents annually and is designed to bring to the Audit Committee s attention our most material risks for evaluation, including cybersecurity risks.

Company Information