Hayward Holdings, Inc. 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

Hayward Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 07:07:17 EST.

Filings

10-K filed on 2026-02-25

Hayward Holdings, Inc. filed a 10-K at 2026-02-25 07:07:17 EST
Accession Number: 0001834622-26-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our Board of Directors (the "Board") recognizes the importance of cybersecurity in today's digital landscape. We are committed to safeguarding our information systems and data assets. This enables us to maintain the trust and confidence of our customers, clients, business partners and employees. The Board has oversight responsibility for our risk management program, and cybersecurity is one component of our overall approach to risk management. Our cybersecurity processes are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. We seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information we collect and store, including information regarding our customers, suppliers and employees. As part of our risk management program, we actively work to identify, prevent and mitigate cybersecurity threats, and take steps to be prepared to effectively respond to cybersecurity incidents when they occur. 32 Risk Management and Strategy We have established a robust cybersecurity governance framework to assess, identify, manage and mitigate risk. Our cybersecurity risk management program includes: - Maintaining a comprehensive International Organization for Standardization-based Information Security Policy. The Information Security Policy is reviewed annually and certified by our Vice President of Information Technology. - Inclusion of Sarbanes-Oxley Information Technology General Controls in our Risk and Control Matrix, which are routinely tested by our Internal Audit team. - Regular risk and vulnerability assessments to identify and address potential weaknesses in our systems. We primarily utilize in-house resources for assessing, identifying and managing cybersecurity threats. - Engaging external cyber security firms, as needed, leveraging their expertise as part of our ongoing effort to evaluate and enhance our cybersecurity program. They help with cybersecurity defense capabilities and recommending steps to mitigate threats, enhance our cybersecurity posture and meet our evolving needs. - Routine screening of potential and existing third-party vendors to assess their cybersecurity posture and the incremental risk that they may pose to us. Third-party vendor access to critical information systems is subject to regular review and assessment by management, and management evaluates the cybersecurity risks and safeguards of potential third-party vendors prior to engaging such vendors. - Mandatory employee cybersecurity training to equip our employees with the tools and knowledge to enhance the cybersecurity posture across the organization. - Continuous monitoring of networks and systems for suspicious activity, leveraging firewalls, intrusion detection and prevention systems, endpoint anti-virus and anti-malware solutions, and a privileged access management system. - A comprehensive incident response plan, which has been developed to enhance the Company's ability to respond to, and recover from, cybersecurity incidents. We engage in the periodic assessment and testing of our processes that are designed to address cybersecurity threats and incidents, including with respect to third-party vendors. The results of such assessments are reported to management and the Board. Adjustments to our cybersecurity processes are made as necessary. Through these processes, we have not identified risks from current or past cybersecurity threats or cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, we face ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect business strategy, results of operations, or financial condition. See "Risk Factors-We rely on information technology systems to support our business operations and a significant disruption or breach of our technological infrastructure, or that of our vendors or other third parties, could adversely affect our financial condition and results of operations, and reputation. In addition, a failure to maintain the security of confidential information could expose us to litigation and regulatory action." Governance Board Oversight Our Board, in coordination with the Audit Committee, oversees our management of risks arising from cybersecurity threats. The Board receives regular reports from management about cybersecurity risks, addressing matters such as evolving standards; vulnerability assessments, including results of third-party penetration testing; audits of our cybersecurity IT controls; and independent reviews of our cybersecurity processes. The Audit Committee receives from management prompt and timely information regarding any significant or potentially material cybersecurity incident and our remediation efforts. Management's Role The following individuals have primary responsibility for assessing and managing cybersecurity risks: - Chief Financial Officer , who oversees the digital transformation, digital technology and security functions. 33 - Vice President, Information Technology, who in coordination with management, works to implement our program to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents. - Chief Legal Officer, who oversees the legal and compliance functions. These individuals, among others, facilitate the success of our cybersecurity risk management program. We have assigned dedicated resources, including our Vice President, Information Technology, and members of his team to monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and provide reports to management, the Audit Committee and the Board on a regular basis and as needed in response to specific incidents. Our Chief Financial Officer has over 20 years of experience in similar leadership roles at public companies and has served in various roles overseeing enterprise risk management, internal controls, compliance and financial reporting processes, including oversight of cybersecurity risk management and related disclosures. Our Vice President, Information Technology, has served in various roles in information technology and information security for over 20 years, the majority of which has involved leading IT transformation, cybersecurity and compliance programs at public companies. He holds an undergraduate degree in industrial engineering and an MBA and has attained multiple cybersecurity-related certifications including the Certified Information Systems Security Professional. Our Chief Legal Officer has over 20 years of experience managing risks, including risks arising from cybersecurity threats, at several public companies.

Company Information