Hillman Solutions Corp. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Hillman Solutions Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 07:34:56 EST.

Filings

10-K filed on 2024-02-22

Hillman Solutions Corp. filed an 10-K at 2024-02-22 07:34:56 EST
Accession Number: 0001822492-24-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C - CYBERSECURITY. Cybersecurity Risk Management and Strategy The Company s cybersecurity policies, standards, processes, and practices for assessing, identifying and managing material risks from cybersecurity threats and responding to cybersecurity incidents are part of the Company s overall risk assessment efforts. The Company has established controls and procedures, including an incidence response plan, that provide for the identification, notification, escalation, communication, and remediation of data security incidents at appropriate levels so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. The Company continues to review its Cybersecurity program and controls and procedures as part of its efforts to strengthen its defenses. As part of its cybersecurity program, the Company utilizes firewalls, identity and access management programs, email security, anti-malware, and a detection and response program. The Company periodically assesses and tests its policies, standards, processes and practices that are designed to address cybersecurity threats and incidents by performing internal and external vulnerability scans, penetration testing, and phishing exercises. The Company utilizes a combination of internal employees and third parties to perform security monitoring and 24/7 response, penetration testing, phishing campaigns, and provide security awareness training to our employees. We recently updated our onboarding process for certain third-party vendors and service providers to include a review and assessment of their information security practices. The Company also conducts information security and awareness training to ensure that employees are aware of information security risks and to enable them to take steps to mitigate those risks. Role of the Board The Board is responsible for cybersecurity risk oversight and receives periodic updates from management on the Company s cybersecurity program, threats, and defense measures implemented. Additionally, our Chief Technology Officer (“CTO”) provides updates to the Board on an as needed basis with respect to cybersecurity risks or any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such cybersecurity incident until it has been remediated. Role of Management Our CTO oversees and provides accountability related to our cybersecurity risk management strategy and overall information security program. The CTO s cybersecurity team is led by a Director of Information Technology Security. The cybersecurity team is responsible for leading enterprise-wide cybersecurity strategy, policy, 17 | December 30, 2023 Form 10-K standards, architecture, and processes. The program incorporates policies and practices designed to protect the privacy and security of our sensitive information. The cybersecurity team includes dedicated internal resources that currently have Certified Information Systems Security Professional (“CISSP”) credentials, Certificate of Cloud Security Knowledge (“CCSK”), and other security and network certifications. In addition to our internal security staff, we partner with various third-party security service providers to augment our staffing, expertise, and hours of operation. The CTO regularly reports to our senior leadership team, as well as periodically to our Board of Directors, regarding our cybersecurity program and material cybersecurity risks. The CTO coordinates with other teams including internal Audit, to ensure a combined focus on technology modernization and remediation needs. The CTO is briefed weekly on current security operations and relevant issues across the cybersecurity threat landscape. Current Cybersecurity events In late May 2023, we experienced a ransomware attack relating to certain systems on our network (the Cybersecurity Incident ). We promptly initiated an investigation, engaged the services of cyber-security experts and outside advisors and worked with appropriate law enforcement authorities to contain, assess and remediate the Cybersecurity Incident. The Cybersecurity Incident affected certain of our information technology systems, and as part of the containment effort, we suspended affected systems and elected to temporarily suspend additional systems in an abundance of caution. We reactivated and restored our operational systems over the course of the week following the Cybersecurity Incident. The Cybersecurity Incident related costs net of an expected insurance receivable totaled $1.0 million. Our system remediation efforts regarding the Cybersecurity Incident have substantially concluded as of December 30, 2023. As of the date of this report, the Company is not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. In the event of an attack or other intrusion, we have a response team of internal and external resources engaged and prepared to respond. We also maintain cyber liability insurance to help mitigate potential liabilities resulting from cyber issues. We plan to continually invest in efforts to enhance data security in response to developments in the cybersecurity landscape. 18 | December 30, 2023 Form 10-K

Company Information