Prestige Consumer Healthcare Inc. 10-K Cybersecurity GRC - 2024-05-15

Page last updated on July 16, 2024

Prestige Consumer Healthcare Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-15 07:01:05 EDT.

Filings

10-K filed on 2024-05-15

Prestige Consumer Healthcare Inc. filed a 10-K at 2024-05-15 07:01:05 EDT
Accession Number: 0001295947-24-000017

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We recognize the importance of data privacy and security and are committed to safeguarding and protecting our own confidential information and other confidential information shared with us. We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of all our critical systems and information, which is integrated into our overall risk management program. This cybersecurity risk management program involves the strategic planning, operation, implementation, and monitoring of cybersecurity practices within our organization. Our cybersecurity program also includes a comprehensive incident response plan (“IRP”) to respond to security breaches and cyberattacks. In addition, our cybersecurity IRP is part of our overall Information Security Program, which is led by the Company’s Information Technology (“IT”) Vice President (“VP”) and Chief Information Security Officer (“CISO”) and is overseen by the Company’s Chief Financial Officer (“CFO”). The IRP is designed to protect and preserve the confidentiality, integrity and continued availability of all confidential information in the care of the Company and the information systems owned or used by the Company, as well as the Company’s ability to operate. Our cybersecurity IRP includes controls and procedures for timely and accurate reporting of any cybersecurity incident. We design and assess our program based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. Our cybersecurity risk management program includes the following: - An ongoing process of identifying, evaluating, and addressing our cybersecurity threats; - A security team responsible for managing our cybersecurity risk, assessment processes, security controls, and responses for security breaches and cyberattacks; - The use of external service providers, where appropriate, to assess, perform tabletop exercises, or otherwise assist with aspects of our security controls designed to anticipate cyberattacks and respond to breaches. Procedures include annual internal vulnerability scans and external penetration tests; 25 - Regular cybersecurity awareness training for all employees to provide a better understanding of the issues and risks related to cybersecurity and data privacy. We realize that cybersecurity is not just the job of the IT security team; the Company and all employees play a critical role in managing the risk; - Phishing and other exercises performed by our IT department periodically throughout the year to test our systems and reinforce the training provided to all personnel; - A cybersecurity incident response plan managed by our VP of IT/CISO, which includes procedures for responding to cybersecurity incidents and is designed to protect and preserve the confidentiality, integrity and continued availability of information possessed by the Company; - A third-party cybersecurity risk management process for service providers, suppliers, and vendors performed throughout the year. We have not identified any risks from known cybersecurity threats, including any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. For a detailed discussion on the Company’s cybersecurity related risks, see “Risk Factors” relating to information technology contained in Part 1, Item 1A of this Annual Report on Form 10-K. Cybersecurity Governance Our Board of Directors considers cybersecurity risk a part of its overall risk oversight function. The VP of IT/CISO reports to the CFO, who regularly reports to the Board of Directors and Audit Committee regarding cybersecurity risks and our risk management program. The Audit Committee oversees management’s implementation of our cybersecurity risk management program, including reviewing risk assessments and policies with respect to the Company’s IT systems, privacy, information governance and cybersecurity management. The Audit Committee meets with management at least annually, and as necessary, to review the Company’s IT security program, compliance and controls with the CFO and/or CISO, including the potential impact of data privacy risk exposures on the Company’s business, financial results, operations and reputation, the steps management has taken to monitor and mitigate such exposures, and major legislative and regulatory developments that could materially impact the Company’s data privacy risk exposure. Our VP of IT/CISO and CFO are responsible for assessing and managing our material risks from cybersecurity threats. The cyber security risk management team is led by our VP of IT/CISO, who has significant experience across digital innovation and technology-enabled growth, information security, infrastructure, operations and compliance. The team has primary responsibility for our overall cybersecurity risk management program and oversees both our internal cybersecurity personnel and our retained external cybersecurity consultants. Members of our executive leadership team, including our CFO, Senior Vice President and General Counsel, as well as the other members as needed, supervise efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public, or private sources, including external consultants engaged by us, alerts and reports produced by security tools deployed in the IT environment. 26

Company Information