HYDROFARM HOLDINGS GROUP, INC. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

HYDROFARM HOLDINGS GROUP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 08:39:55 EST.

Filings

10-K filed on 2024-02-29

HYDROFARM HOLDINGS GROUP, INC. filed an 10-K at 2024-02-29 08:39:55 EST
Accession Number: 0001628280-24-007813

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Cybersecurity is a critical risk to our business. We rely on complex information technology systems and networks to conduct business, including communicating with employees and our distribution centers, ordering and managing materials from suppliers, selling and shipping products and analyzing and reporting results of operations, as well as for storing sensitive, personal and other confidential information. While we employ resources to monitor and protect our technology infrastructure and sensitive information, these security measures or those of our third-party vendors may not prevent all attempted security breaches or cyber-attacks. If our or our third-party vendors information technology systems are damaged or cease to be available or function properly for an extended period of time, whether as a result of a significant cyber incident or otherwise, our ability to communicate internally as well as with our customers could be significantly impaired, which may adversely impact our business. Our acquisition strategy may also result in exposure to certain technology risks during integration of systems of acquired companies to our existing platform. Addressing cybersecurity risks requires ongoing monitoring and vigilance, and the Company is making enhancements to its cybersecurity policies, procedures and practices to safeguard sensitive information as well as information from our partners, customers and employees. We employ a risk-based strategy focused on safeguarding critical assets by implementing controls around access, data, and infrastructure security to protect the confidentiality, integrity, and availability of our data. Maturation and refinement of the Company’s cybersecurity risk management strategy and related procedures is a continuous 42 TABLE OF CONTENTS activity to ensure appropriate identification, assessment, and response to risks from cybersecurity threats that may adversely impact our operations. Our employee training and awareness programs are in place to improve cybersecurity awareness throughout the organization and we are committed to educating our employees on best practices for data protection and phishing awareness. We also engage with third-party cybersecurity assessors, consultants, and auditors that provide independent assessments of our systems and processes, contributing to our efforts to strengthen our cybersecurity posture and enhance our defenses. On January 31, 2022, certain of our computer systems related to the Aurora acquisition that had not yet been integrated into our main systems were the victim of a cybersecurity attack. We immediately took steps to isolate those systems and implemented measures to prevent the spread of the attack, including taking systems offline in an abundance of caution. Together with an outside cybersecurity forensics firm, we investigated the attack to determine its nature, scope, duration, and impacts, as well as our vulnerability to another such attack and whether there was any exfiltration or misappropriation of data. There was no evidence that the attack extended beyond the Aurora acquisition s systems, and it was determined that no critical data was accessed. We have subsequently taken steps to integrate the acquisition s systems with our main systems, which we expect to complete in the first half of 2024. We have not encountered cybersecurity incidents or identified risks from cybersecurity threats that have materially impaired our operations or financial standing. We maintain cyber insurance coverage to supplement our cybersecurity program given the complex and evolving nature of global cyber threats; however, the insurance may not be sufficient to cover all losses from any breaches of our systems and does not extend to reputational damage or costs incurred to improve or strengthen systems against future threats or activity. Given the increasing sophisticated threats, a disruption from a cybersecurity incident is possible to occur and we are actively taking actions to minimize the likelihood and impact of such incidents. In the event of such an incident, our information security team is continuously engaged to investigate and respond, including isolating systems, performing forensics, containing and eradicating malicious activity, and recovering systems in-line with business expectations and operations. Cybersecurity Governance Our Board of Directors oversees the cybersecurity risk management program and is regularly informed of cybersecurity risks through periodic updates provided by the Director of Information Technology (“IT”), to address our cybersecurity processes and risk mitigation efforts. Certain Board of Directors have cybersecurity risk certification credentials and experience with, and exposure to, cyber risk oversight. The periodic updates provided by management to the Board of Directors generally encompass emerging cyber threats, the Company s security posture changes, significant cybersecurity incidents, progress of risk mitigation efforts, and cybersecurity strategies and investments. The frequency of these updates allows for timely decision-making and ensures that our Board is fully informed of our cybersecurity risks. Our Director of IT is responsible for identifying, assessing, and mitigating cybersecurity risks across the Company. Supported by our Information Security team, the Director of IT monitors the cyber threat landscape, plans and implements security controls, and responds to incidents. The collective team has extensive experience in information security and cybersecurity risk management and performs detection and monitoring of cybersecurity threats and incidents on an ongoing basis using a combination of security tooling, automated systems and manual processes. 43 TABLE OF CONTENTS

Company Information