OLAPLEX HOLDINGS, INC. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

OLAPLEX HOLDINGS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:04:03 EST.

Filings

10-K filed on 2024-02-29

OLAPLEX HOLDINGS, INC. filed an 10-K at 2024-02-29 16:04:03 EST
Accession Number: 0001868726-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Information technology supports all aspects of our business, including operations, marketing, sales, order processing, production and distribution networks, retail and professional hairstylist customer experience, consumer experience, finance, business intelligence, and product development. We continue to maintain and enhance our information technology systems, cybersecurity infrastructure and customer and consumer experiences in alignment with our long-term strategy. An increasing portion of our global information technology infrastructure is cloud-based and in partnership with industry-leading service providers. We believe this approach enables a high-performance platform to support current and future requirements and enhances our scale and flexibility to respond to the demands of the business by leveraging advanced and leading-edge technologies. We recognize that technology presents opportunities to build a competitive advantage, and we continue to invest in new capabilities across various aspects of our business. Such efforts, however, subject us to increased cyber risk, as these investments are subject to cyberattacks, business disruptions and other risks described in Risk Factors Risks Related to Information Technology and Cybersecurity. We have adopted processes designed to identify, assess and manage material risks from cybersecurity threats. As part of our company-wide enterprise risk management process, we conduct a comprehensive annual enterprise risk assessment that includes evaluation of cybersecurity risks and development of risk mitigation response plans. Company management reviews our enterprise risk assessment with our Audit Committee and our Board of Directors and provides periodic updates with respect to our risk mitigation response plans to our Audit Committee and our Board of Directors. We have established internal policies and procedures for cybersecurity risk management and incident response management that are based on industry standard cybersecurity frameworks, and we provide regular training to our employees regarding evolving cybersecurity threats and risk management. Our cybersecurity team is primarily responsible for identifying, evaluating and responding to risks from cybersecurity threats. Our cybersecurity team is led by our Senior Vice President, Information Technology, who has an undergraduate degree in electronic and communications engineering and over 20 years of experience in information technology, including cybersecurity risk management. Our cybersecurity team reviews and assesses our cybersecurity profile against internal and external cybersecurity frameworks that are aligned with industry standards on an ongoing basis and conducts ongoing security management internally and through the engagement of third-party vendors and consultants. In addition, our cybersecurity team periodically engages independent third parties to conduct security assessments and internal and external penetration tests. Our cybersecurity team seeks to detect potential cybersecurity incidents through technical safeguards such as automatic detection systems, as well as through our policies and procedures that require internal and external notification of cybersecurity incidents. When a cybersecurity incident occurs, our cybersecurity team implements our incident management procedures and convenes an incident response team consisting of members of our IT team and other company representatives as appropriate based on the nature of the incident. The incident response team determines appropriate containment, eradication and recovery procedures based on the type of incident and recommends any corrective actions to the cybersecurity team following the resolution of the cybersecurity incident. Cybersecurity incidents are reported to our Board of Directors, our Audit Committee or its Information Security Subcommittee as appropriate based on the nature of the incident. We rely on the information systems of third-party vendors, including our cloud vendors, for various functions of our business, including manufacturing, sourcing, distribution, sales and marketing. We engage a third-party risk management software to oversee and identify the risks from cybersecurity threats associated with relevant vendors, based on the services such vendors provide and the information to which they have access. In addition, as part of our new vendor onboarding procedures, we review proposed new vendors cybersecurity and data protection practices and collaborate with such vendors to align their cybersecurity platforms with our expectations. 33 Table of Contents Our Audit Committee assists the Board of Directors in its oversight of our policies, procedures and practices with respect to risk management and mitigation, including risks related to information security, cybersecurity, and data privacy and protection. The Audit Committee has delegated oversight of risks related to information security, cybersecurity, and data privacy and protection to its Information Security Subcommittee, which meets at least twice a year with our Senior Vice President, Information Technology and other members of our IT department to discuss our cybersecurity profile and related risks, as well as to discuss updates on relevant developments in the cybersecurity threat environment. The Information Security Subcommittee reports to the Audit Committee following each subcommittee meeting, and the Audit Committee reports to our Board of Directors. Although we have experienced cybersecurity incidents in the past, as of the date of this report, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations or financial condition. Despite our continuing efforts, our cybersecurity platform may not prevent breaches or breakdowns of our or our third-party service providers information technology systems, particularly in the face of continually evolving cybersecurity threats and increasingly sophisticated threat actors. A cybersecurity incident may materially affect our business, results of operations or financial condition, including where such an incident results in reputational, competitive or business harm or damage to our brand, lost sales, reduced demand, loss of intellectual property rights, significant costs or the Company being subject to government investigations, litigation, fines or damages. For more information, see Risk Factors Risks Related to Information Technology and Cybersecurity.

Company Information