HAIN CELESTIAL GROUP INC 10-K Cybersecurity GRC - 2024-08-27

Page last updated on August 27, 2024

HAIN CELESTIAL GROUP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-27 16:03:12 EDT.

Filings

10-K filed on 2024-08-27

HAIN CELESTIAL GROUP INC filed a 10-K at 2024-08-27 16:03:12 EDT
Accession Number: 0000950170-24-100992

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Our enterprise risk management framework considers cybersecurity risk alongside other applicable risks as part of our overall risk assessment process. Within our comprehensive enterprise risk management framework, our cybersecurity risk management program is focused on assessing, identifying, and managing risks arising out of our use of information technology (“IT”) including the risk of cybersecurity incidents and threats. The program is informed by recognized frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”). Our cybersecurity team utilizes a variety of tools, processes and outside resources to continue to raise and maintain its maturity across the elements of NIST CSF. Our cybersecurity risk management program includes a Cyber Security Incident Response Plan (“CSIRP”). Our CSIRP supports the Company in identifying, containing, and tracking cybersecurity incidents experienced by us or our third-party service providers or suppliers. The CSIRP was established to minimize the impact of cybersecurity incidents on our networks, IT systems, users and business processes, and to ensure the timely and accurate reporting of material cybersecurity incidents, should they occur. The execution of our CSIRP is led by our Chief Information Officer and Head of Business Services (“CIO”), with support from a designated IT Incident Response Manager leading an Incident Response Team consisting of subject matter experts, as well as our Executive Response Team when appropriate. In the event of an incident, these individuals work together to assess its severity, notify and brief the appropriate team members, escalate to our Board of Directors as needed, and implement containment procedures. The Company also conducts tabletop exercises to enhance incident response preparedness and engages third parties, including consultants and other professionals, on an as-needed basis to assess and support our cybersecurity practices and procedures. Our cybersecurity risk management program is integrated into our operations and is widely communicated to employees through annual employee and contractor cybersecurity awareness training, which includes information about how to identify and report cybersecurity concerns and incidents. Our information technology organization also conducts phishing simulations and testing scenarios to help ensure compliance with our cybersecurity policies and procedures. These awareness measures are coupled with ongoing implementation of technology aimed to reduce vulnerabilities (including external testing and validation) and to monitor and assess threats. Our program includes monitoring on an ongoing basis by automated tools that detect threats and trigger alerts for assessment, investigation, and remediation by our information technology organization. We maintain business continuity and disaster recovery plans to prepare for potential information technology disruptions. We also maintain insurance coverage that, subject to its terms and conditions, is intended to address costs associated with certain aspects of cyber incidents and information systems failures. Based on the information we have as of the date of this Form 10-K, we do not believe any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. See “Item 1A. Risk Factors - Risks Related to Cybersecurity and Technology” for further information about these risks. Cybersecurity Governance Our Board of Directors has risk oversight responsibility for the Company, which it administers directly and with assistance from its committees. The Audit Committee assists the Board in its oversight of the cybersecurity risk management program. The Audit Committee is tasked with reviewing and receiving periodic reports from management regarding the Company’s information technology system controls and security and, at least annually, evaluating the adequacy of the Company’s information technology security program, compliance, governance processes, training and controls. The Audit Committee specifically oversees: - management’s evaluation of the potential impact of cybersecurity risk exposures on the Company’s business, financial results, operations and reputation, - the steps management has taken to monitor and mitigate such exposures, - major legislative and regulatory developments that could materially impact such exposure, and - the Company’s incident response planning (including escalation protocols), including with respect to the prompt reporting of material cybersecurity threats or incidents to management, the Audit Committee and the Board of Directors. Our CIO periodically provides the Executive Leadership Team, which consists of the Company’s executive officers and other senior leaders, with cybersecurity briefings, information and trainings, and updates the Audit Committee on cybersecurity biannually or more frequently as appropriate. At any time, Board members may raise concerns regarding the Company’s cybersecurity posture and recommend changes regarding controls or procedures to management. Our CSIRP includes a process for incidents to be evaluated for material impact, with an escalation protocol requiring reporting of material incidents to the Executive Response Team and to the Board of Directors. The CIO is the management position with primary responsibility for the development, operation, and maintenance of our cybersecurity risk management program. The CIO has deep experience in information systems and technology, including developing information and cybersecurity programs, roll-outs of new technology, information security audit and assessments, and cybersecurity operations focused on identification, mitigation and response to cybersecurity threats. The CIO has experience overseeing and executing technology strategies in complex, global, and matrixed environments. The CIO joined the Company in 2020, bringing over 15 years of experience leading IT strategy and change initiatives in the consumer packaged goods industry, and reports directly to our CEO.

Company Information