HELEN OF TROY LTD 10-K Cybersecurity GRC - 2024-04-24

Page last updated on April 24, 2024

HELEN OF TROY LTD reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-24 07:01:04 EDT.

Filings

10-K filed on 2024-04-24

HELEN OF TROY LTD filed an 10-K at 2024-04-24 07:01:04 EDT
Accession Number: 0000916789-24-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company relies on electronic information systems, networks and technologies to conduct and support its operations and other functions and activities within the Company. We rely on commercially available systems, software, tools, third-party service providers and monitoring to provide security for processing, transmission and storage of confidential information and data. We have an enterprise-grade information security management program designed to identify, protect, detect and respond to and manage reasonably foreseeable material cybersecurity threats. To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, remediate, respond and recover from identified vulnerabilities and cybersecurity incidents. As part of the Company’s cybersecurity risk management program, we follow the NIST Cybersecurity Framework ( CSF ) to assess, identify and manage risks that arise from cybersecurity threats. The CSF is closely tied to the Company s enterprise risk management processes to identify and document cybersecurity threats and prioritize responses. Included in the CSF process is the identification and assessment of cybersecurity risks to systems, assets, data and resources. The Company also has a vulnerability management process in place. This vulnerability management process helps us to detect and identify threats and vulnerabilities and once identified, to remediate, respond and recover. In addition, our cybersecurity team subscribes to expert and industry standard security feeds and reports, which we use to identify new risks and new vulnerabilities in different systems and infrastructures. Our cybersecurity risk management program also includes cybersecurity awareness training for our associates and an incident response team ( IRT ). The Company engages third-party service providers to be able to perform 24/7 proactive monitoring, correlation and triage of logs and activity throughout our systems, networks and infrastructures. These processes are performed by cybersecurity service providers as well as automated detection. These processes include detection and response, as well as vulnerability management and remediation. The Company also has a vendor risk management process to assess risks related to technology third-party service providers where we initially assess their cybersecurity posture upon engaging their services. We annually review these vendors to update our risk assessment and to monitor for any changes that could present additional risks. We also maintain a cyber incident response plan ( IRP ) with the objective of (1) providing a structured and systematic incident response process for cybersecurity threats that affect any of our electronic information systems and networks, (2) timely and effectively identifying, resolving and communicating cybersecurity incidents and (3) managing internal and external communications and reporting. Under the IRP, a dedicated information security coordinator is responsible for implementing the IRP, as well as: identifying the IRT and any appropriate sub-teams to address specific cybersecurity incidents, or categories of cybersecurity incidents coordinating IRT activities, including developing, maintaining, and following appropriate procedures to respond to, communicate, and document identified cybersecurity incidents conducting post-incident reviews to gather feedback on cybersecurity incident response procedures and address any identified gaps in security measures 29 Table of Contents providing training and conducting periodic exercises to promote associate and stakeholder preparedness and awareness of the IRP and reviewing the IRP at least annually, or whenever there is a material change in our business practices that may reasonably affect our cyber incident response procedures. If a cybersecurity incident occurs, under the IRP, the information security coordinator or a designee is required to notify, as necessary and applicable, the IRT and senior executives and organizational leadership, including our Chief Legal Officer, our business partners or service providers and other authorities. Our Chief Legal Officer, working with senior executives, is required under the IRP, as appropriate, to notify the Audit Committee of any cybersecurity incident. As discussed below, the Audit Committee of our Board of Directors oversees risk management relating to cybersecurity. We and our third-party service providers have experienced and expect to continue to experience actual or attempted cyber-attacks of our information systems and networks. We do not believe we have experienced any material system security breach that to date has had a material impact on our operations or financial condition. However, if any such event, whether actual or perceived, were to occur, it could have a material adverse effect on our business, operating results and financial condition. For more information regarding the risks we face from cybersecurity threats, see Item 1A., Risk Factors. Cybersecurity Governance Cybersecurity is an important part of our enterprise risk management processes and an area of focus for our Board of Directors and management. The Company has a dedicated role in the Director of Cybersecurity and IT Compliance, who reports to our Chief Information Officer ( CIO ). Our current interim CIO has significant experience in information technology across a variety of industries, including consumer goods, automotive, manufacturing and outsourcing. Our current interim CIO and Director of Cybersecurity and IT Compliance also have experience in cybersecurity, information security, policy, architecture, engineering and incident response. The CIO works with other functions within the Company to implement controls, procedures and practices to help minimize the Company’s risks, as well as to introduce security by design. Our CIO provides regular updates on cybersecurity matters to our senior management. The Audit Committee assists the Board of Directors in its oversight of risks related to cybersecurity and directly oversees risk management relating to cybersecurity. The Audit Committee is also responsible for assessing the steps management has taken to monitor and control these risks and exposures and evaluating guidelines and policies with respect to our risk assessment and risk management. Our Chief Legal Officer working with the CIO and other senior management is responsible for determining and coordinating reports and updates to the Audit Committee or the Board of Directors, or as requested by the Audit Committee or the Board of Directors. The Audit Committee reviews our cybersecurity program with management and reports to the Board of Directors with respect to, and its review of, the program. Cybersecurity reviews by the Audit Committee generally occur at least annually, or more frequently as determined to be necessary or advisable. The Board of Directors receives an update on the Company s risk management processes and the risk trends related to cybersecurity at least annually.

Company Information