Hillenbrand, Inc. 10-K Cybersecurity GRC - 2024-11-19

Page last updated on November 19, 2024

Hillenbrand, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-19 17:06:36 EST.

Filings

10-K filed on 2024-11-19

Hillenbrand, Inc. filed a 10-K at 2024-11-19 17:06:36 EST
Accession Number: 0001417398-24-000256

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk management and strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, which include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers, and violation of data privacy or security laws. We have developed and implemented a cybersecurity risk management program to protect critical assets, scale with business growth, identify and mitigate threats, and enable us to conduct our business securely. The program’s design utilizes the National Institute of Standards and Technology (NIST) Cybersecurity Framework, while adapting certain elements to align with our specific operational needs and objectives. The program and other cybersecurity processes have been integrated into our overall risk management framework. Certain key components of our cybersecurity program include the following: Protecting our technology and information systems: We use various tools to help manage our overall program including unauthorized access detection, 24x7 security monitoring, email protection, network intrusion prevention systems, security training, penetration testing, and other similar tools to protect the Company’s data. When adopting or changing technology, we conduct risk-based security and privacy impact assessments and deploy administrative, physical, and technical safeguards that are designed to reasonably protect us from cybersecurity threats. We actively monitor and proactively research potential cybersecurity threats to our technologies and information systems and use what we learn to evolve our security controls over time to mitigate risks posed by such threats. Incident response and recovery planning: We maintain incident response and recovery plans that direct our response to cybersecurity incidents. These plans guide how we evaluate and assign incident severity levels and reporting thresholds, escalate and engage cross functional incident response teams, perform materiality assessments, and manage and mitigate the related risks. We also maintain a cybersecurity insurance program to reimburse covered costs, losses and claims relating to a data or security breach. Third-party risk management: We maintain a risk-based approach to identifying and managing cybersecurity threats presented by third-party systems that support our operations, as well as third-party users of our data and systems, including vendors, service providers, and subcontractors. Further, we require third-party users with such access to our data and systems to adhere to industry policies and standards that are comparable to or exceed our policies and standards. For third-party users that do not have access to our data and systems, we require those users to maintain cybersecurity practices that align with industry standards and applicable laws. Training and awareness: We have a cybersecurity training program designed to educate and train employees on how to identify and report cybersecurity threats, which includes regular phishing exercises and recurring cybersecurity awareness training to all our associates and third parties who have access to Company email and networks. Training programs are conducted on a periodic basis and are focused on giving employees awareness and tools to manage the most relevant and prevalent cybersecurity risks to us. Specialized training is also offered to employees in sensitive roles. Assessments and testing: We use third party specialists to conduct periodic assessment and testing of our policies, standards, processes, and practices that are designed to address cybersecurity threats. These efforts include tabletop exercises, risk assessments, vulnerability testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. Where appropriate we adjust our cybersecurity policies, standards, processes, and practices accordingly based on internal and external assessment and testing results. As of the date of this Form 10-K, we are not aware of any cybersecurity threats or incidents that have materially affected us or are reasonably likely to materially affect us, including our business strategy, consolidated results of operations, or financial condition. However, despite our security measures, we cannot assure that we or our third-party partners will not experience a future cybersecurity incident that could materially affect us. Governance Our Board of Directors oversees overall cybersecurity risk and strategy, and the Audit Committee of the Board of Directors oversees information security compliance as part of its broader compliance oversight mandate. Together, this ensures that the Board of Directors has a comprehensive view of the Company’s cybersecurity risk profile and framework. The Board of Directors and its Audit Committee include directors with knowledge, skills, and cybersecurity and information technology experience. Our EMT receives periodic briefings, and the Board of Directors and its Audit Committee receives annual and quarterly briefings, respectively, on cybersecurity matters. These briefings may include updates on critical information security and cybersecurity risks and the threat landscape; cybersecurity improvement initiatives and the internal control environment; and, if relevant, the status of actions taken with respect to any cybersecurity incidents. The Chief Information Security Officer (“CISO”) is responsible for assessing, identifying, and managing cybersecurity risks, including implementation of our cybersecurity risk management program. The CISO works in partnership with the information technology, legal, finance, and internal audit functions to review information technology-related policies and internal controls in managing the cyber risk. The CISO has information technology and information security experience, including enterprise risk management leadership, and holds a Certified Information Security Manager certification from the Information Systems Audit and Control Association (ISACA). The CISO reports to the Chief Information Officer (“CIO”), who is a member of the Company’s Executive Management Team (“EMT”) and reports directly to the CEO. The CIO has extensive experience overseeing and executing technology strategies and implementations in complex, global organizations. As a part of our incident response plan, the CISO also reports and escalates cybersecurity incidents to the EMT and the Audit Committee as appropriate.

Company Information