HELIOS TECHNOLOGIES, INC. 10-K Cybersecurity GRC - 2026-03-03

Page last updated on March 3, 2026

HELIOS TECHNOLOGIES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-03 14:27:09 EST.

Filings

10-K filed on 2026-03-03

HELIOS TECHNOLOGIES, INC. filed a 10-K at 2026-03-03 14:27:09 EST
Accession Number: 0001193125-26-087747

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We assess, identify and manage material risks from cybersecurity threats through various protective policies, procedures and processes. These are embedded into our overall risk management system and extend to risks related to systems hosted by third parties . We utilize external standards, such as the Center for Internet Security ("CIS") framework, as a starting point for the design and development of our systems that assess risk and mitigation measures. Helios is committed to achieving compliance with the CIS implementation group level 2 standards. However, this does not mean that we meet any particular technical standards, specifications, or requirements, but rather we use external standards as a guide to help us identify, assess and manage cybersecurity risks and threats relevant to our business. An annual risk assessment is completed and presented to the executive leadership team and the Company's Board of Directors. We discuss changes to our policies, procedures and processes needed to address gaps identified through the assessment. We maintain organizational safeguards that include employee training, business continuity planning and cybersecurity insurance. These safeguards are reviewed on an annual basis, or more frequently as the business environment warrants, and are adjusted as needed to account for changes in the Company and overall risk environment. Cybersecurity training is delivered to employees through a combination of online modules and, where role-specific needs or circumstances warrant, instructor-led classroom sessions. This approach ensures comprehensive training tailored to the requirements of various roles while maintaining flexibility and accessibility. Cybersecurity training also addresses emerging risks associated with the use of artificial intelligence tools, including data protection considerations, acceptable use, and awareness of evolving threat vectors. We incorporate technical safeguards such as Multi-Factor Authentication ("MFA"), principles of Zero Trust and password complexity policies for all accounts to help prevent unauthorized access to our systems and data. Additionally, we utilize Extended Detection and Response ("XDR") installed on endpoint systems, along with our Security Operations Center ("SOC"), to manage real-time endpoint protection monitoring. 30 As part of our enterprise-wide cybersecurity risk management program, we conduct comprehensive internal and external penetration testing on an annual basis. These assessments, performed using industry-standard testing methodologies and tools, are designed to identify and evaluate potential security vulnerabilities across our information technology environment and to support the ongoing enhancement of our security controls. In addition, we extend such testing to newly acquired companies and assets as part of the integration process. This penetration testing is performed by a third party and is used to evaluate our curre nt pos ture towards cybersecurity threats and to make adjustments, as needed, to protect our systems. The results are reviewed with the executive leadership team and the Company's Governance Committee of the Board of Directors. We have an Incident Response Policy and related processes that outline steps to be taken in the event of a cybersecurity incident that impacts Helios, our partners and third-party hosted systems. When a cybersecurity incident occurs, the IT team promptly notifies the Vice President ("VP"), Information Technology and assesses its potential impact on operations and business continuity. Incidents that pose a potential threat to operations or business continuity are escalated to a cross-functional team comprising the VP, Information Technology, the Chief Financial Officer ("CFO"), and the General Counsel. This team evaluates the incident's materiality, considering factors such as the nature, scope, and timing of the event, as well as its potential financial and operational impact. Based on the evaluation, incidents determined to be material are reported to the Governance Committee. This escalation ensures that the Board of Directors is informed of significant cybersecurity events that could impact the company's financial health or operations. In addition, the Company maintains relationships with external cybersecurity incident response specialists, including a third-party on an incident response retainer, to augment internal capabilities and support rapid investigation and remediation of cybersecurity events. The Company periodically conducts tabletop exercises and simulations to test and refine its incident response processes. The Company continues to enhance its cybersecurity risk management practices to address evolving regulatory and contractual requirements, including ongoing efforts to align certain business units with Cybersecurity Maturity Model Certification ("CMMC") Level 2 requirements. These efforts include policy development, technical safeguards, employee training, and periodic assessments of cybersecurity controls. No risks from cybersecurity threats nor any previous cybersecurity incidents have materially affected or are reasonably likely to materially affect us, in cluding our business strategy, results of operations or financial condition, but we cannot provide any assurance that they will not be materially affected in the future by such risks or incidents. For a discussion of whether and how any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition, see "Risks Relating to Our Business: Other--Increased cybersecurity threats and more sophisticated and targeted computer crime and cybersecurity incidents could pose a risk to our data, systems, networks, products, solutions and services" in Item 1A, Risk Factors. Corporate Governance Role of Management Helios Technologies' Information Technology organization is led by the VP, Information Technology and is responsible for the administration of the cybersecurity and information security framework and risk management, including that of the Corporation and its business units, with oversight by the Governance Committee . Helios' VP, Information Technology is an active member of InfraGard and has formal education in information technology with over twenty five years experience in roles involving management of cybersecurity functions, cyber strategy, and leading and collaborating on information systems and related technologies. The VP, Information Technology receives regular updates on cybersecurity developments, results of mitigation efforts and cybersecurity incident response and remediation through monthly Advanced Threat Intelligence briefings and FBI bulletins via Infragard. Helios information systems organization and its management team are responsible for developing and implementing its cybersecurity policies and is comprised of individuals with either formal education in information technology or cybersecurity or relevant experience working in information technology and cybersecurity. Additionally, leaders in Helios' information te chnology function receive periodic training and education on cybersecurity related topics including 31 certifications. Management periodically reports to the Board of Directors and the Governance Committee on cybersecurity preparedness activities, including incident response exercises, third-party risk assessments, and external threat intelligence. Role of the Helios Board of Directors The Governance Committee addresses risks related to the global enterprise, including material risks facing the businesses, risks the Company may face in the future, measures that management has employed to address those risks and other information relating to how risk analysis is incorporated into the Company's corporate strategy and day-to-day business operations. As part of this oversight function, the Governance Committee is responsible for overseeing cybersecurity-related risks. The Governance Committee includes cybersecurity topics in its quarterly updates to the full Board of Directors , which provides further oversight over cybersecurity-related risks and the Company's strategies to address such risks. Reports to the Board of Directors and Governance Committee include comprehensive updates on the current cybersecurity risk landscape, the status of ongoing mitigation efforts, and emerging incident trends. Additionally, these reports cover updates on third-party risk assessments, progress on cybersecurity initiatives such as technology upgrades, regulatory compliance measures, and employee training programs .

Company Information