HASBRO, INC. 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

HASBRO, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 16:11:58 EST.

Filings

10-K filed on 2026-02-25

HASBRO, INC. filed a 10-K at 2026-02-25 16:11:58 EST
Accession Number: 0000046080-26-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We employ a multi-layered approach to monitoring and mitigating cybersecurity and data privacy risks. Management, in coordination with our Board, the Audit Committee of the Board (the "Audit Committee"), our dedicated Cybersecurity and Data Privacy teams, and senior leaders responsible for Enterprise Risk Management, have established processes intended to adapt to the evolving threat landscape. These processes are designed to identify, assess, and respond to emerging cybersecurity risks, including the ability to rapidly deploy specialized task forces to address specific threats or incidents. Our cybersecurity program is informed by various industry standards like the National Institute of Standards and Technology ("NIST") and Center for Internet Security ("CIS") frameworks, which organize cybersecurity risks into five categories: identify, govern, protect, detect, respond and recover. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection, mitigation and continuous process improvements. Our internal teams review cybersecurity risks, and key cybersecurity risks are incorporated into the Enterprise Risk Management ("ERM") reports reviewed and discussed internally and with the Board. In addition, we have several avenues to gather risk intelligence, and potential threats identified by various services, internal and external assessments, and capabilities to adjust our security strategy. We also have a set of Company-wide policies and procedures concerning cybersecurity and technology standards, which include a Technology Use policy, as well as other policies that directly or indirectly relate to cybersecurity, such as policies related to endpoint, cloud, and network protection, encryption standards, malware/ransomware protection, remote access, multi-factor authentication, anti-phishing, confidential information and the use of the internet, social media, email and wireless devices. These policies go through an internal review process and are approved by appropriate members of management. The Company's Chief Information Security Officer ("CISO") and the Cybersecurity and Data Privacy leadership members are responsible for developing, implementing, advising, and evaluating our information security program. The CISO regularly reports on cybersecurity matters to Hasbro leadership, as well as to the Board and the Audit Committee. Our Chief Digital Information Officer is an executive sponsor of our Cyber Security Program with over two decades of experience leading cyber security oversight, and others on our cyber security team have cybersecurity experience and certifications, such as the Certified Information Systems Security Professional ("CISSP"), or other industry leading certifications. Furthermore, our internal audit team is responsible for testing and auditing the design and operating effectiveness of our information technology internal controls. Cybersecurity risk management is integrated into management's broader enterprise risk responsibilities and informs strategic and operational decision-making. We have invested in Technology security, including additional end-user training, using layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting, and engaging experts. We regularly test defenses by performing simulations and drills at both a technical level (including penetration tests), tabletop exercises and by reviewing our operational policies and procedures with third-party experts. At the management level, our Technology security team regularly monitors alerts and meets to discuss threat levels, trends and remediation. The team also prepares a cyber scorecard, regularly collects data on cybersecurity threats and risk areas and conducts an annual risk assessment. In addition, all employees receive cybersecurity training during their onboarding and are required to complete updated training on an annual basis. Further, we conduct periodic external penetration tests, red team testing, product security assessments, tabletop exercises, and maturity testing to assess our processes and procedures and the threat landscape. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, vendors, and intellectual property. In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with use of third-party vendors and service providers. The internal business owners of the hosted critical applications are required to document user access reviews and other key controls at least annually and evaluate each vendor's System and Organization Controls ("SOC") 1 and/or SOC 2 report. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and assess our relationship on that basis. Our assessment of risks associated with use of third-party providers is part of our overall cybersecurity risk management framework. The Audit Committee of our Board of Directors maintains oversight of our cybersecurity and data privacy risk management programs. Members of the Audit Committee bring relevant oversight, technology and information security governance experience, enabling them to provide informed guidance and effective oversight of our strategies, controls, and incident response capabilities. As part of this oversight, the Audit Committee and the full Board actively participate in discussions with management and amongst themselves regarding cybersecurity risks. The Audit Committee meets during the year and discusses cyber-related industry events, critical cyber incidents, alignment with our information security framework, threat assessment, security capabilities, response readiness and training efforts. The Audit Committee conducts an ongoing review of the Company's cybersecurity program, which includes discussion of management's actions to identify and detect threats, planned actions in the event of a response or recovery situation, as well as a review of recent enhancements to the Company's security detection, prevention and response capabilities, and management's progress on its cybersecurity strategic roadmap. The Cybersecurity team also subscribes to various threat intelligence services to evaluate our security strategy or defense mechanism against such threats. The Board receives regular updates from the Audit Committee, as well as from the Cybersecurity team, including a summary of key risk indicators, test results and related remediation, and recent threats and how the Company is managing those threats. We face a number of cybersecurity risks in connection with our business. During the past three years, we have not suffered a material breach or a reportable incident, and cybersecurity risks (including breach of third parties with whom we work) have not materially affected us, including our business strategy, results of operations or financial condition . For more information about the cybersecurity risks we face, refer to Item 1A. Risk Factors.

Company Information