Hillman Solutions Corp. 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

Hillman Solutions Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 16:32:24 EST.

Filings

10-K filed on 2025-02-20

Hillman Solutions Corp. filed a 10-K at 2025-02-20 16:32:24 EST
Accession Number: 0001822492-25-000050

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C - CYBERSECURITY. Cybersecurity Risk Management and Strategy 16 | December 28, 2024 Form 10-K The Company’s cybersecurity policies, standards, processes, and practices for assessing, identifying and managing material risks from cybersecurity threats and responding to cybersecurity incidents are part of the Company’s overall risk assessment efforts. The Company has established controls and procedures, including an incidence response plan, that provide for the identification, notification, escalation, communication, and remediation of data security incidents at appropriate levels so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. The Company continues to review its Cybersecurity program and controls and procedures as part of its efforts to strengthen its defenses. As part of its cybersecurity program, the Company utilizes firewalls, identity and access management programs, email security, anti-malware, and a detection and response program. The Company periodically assesses and tests its policies, standards, processes and practices that are designed to address cybersecurity threats and incidents by performing internal and external vulnerability scans, penetration testing, and phishing exercises. The Company utilizes a combination of internal employees and third parties to perform security monitoring and 24/7 response, penetration testing, phishing campaigns, and provide security awareness training to our employees. We recently updated our onboarding process for certain third-party vendors and service providers to include a review and assessment of their information security practices. The Company also conducts information security and awareness training to ensure that employees are aware of information security risks and to enable them to take steps to mitigate those risks . Role of the Board of Directors The Audit Committee and the Board of Directors are responsible for the oversight of cybersecurity risk. The Audit Committee and Board of Directors receive periodic updates from management on the Company’s cybersecurity program, threats, and defense measures implemented. Additionally, our Senior Vice President of Information Technology (“SVP - IT”) provides updates to the Board of Directors on an as needed basis with respect to cybersecurity risks or any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such cybersecurity incident until it has been remediated . Role of Management Our SVP-IT oversees and provides accountability related to our cybersecurity risk management strategy and overall information security program. The SVP-IT’s cybersecurity team is led by a Director of Information Technology Security. The cybersecurity team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. The program incorporates policies and practices designed to protect the privacy and security of our sensitive information. The cybersecurity team includes dedicated internal resources that currently have Certified Information Systems Security Professional (“CISSP”) credentials, Certificate of Cloud Security Knowledge (“CCSK”), and other security and network certifications. In addition to our internal security staff, we partner with various third-party security service providers to augment our staffing, expertise, and hours of operation. The cybersecurity team leverages tools and systems such as Security Information and Event Management (“SIEM”), for real time alerts and insights. The SVP-IT regularly reports to our senior leadership team, as well as periodically to our Board of Directors , regarding our cybersecurity program and material cybersecurity risks. The SVP-IT coordinates with other teams including internal Audit, to ensure a combined focus on technology modernization and remediation needs. The SVP-IT is briefed weekly on current security operations and relevant issues across the cybersecurity threat landscape. Current Cybersecurity Events In late May 2023, we experienced a ransomware attack relating to certain systems on our network (the “Cybersecurity Incident”). We promptly initiated an investigation, engaged the services of cybersecurity experts and outside advisors and worked with appropriate law enforcement authorities to contain, assess and remediate the Cybersecurity Incident. The Cybersecurity Incident affected certain of our information technology systems, and as part of the containment effort, we suspended affected systems and elected to temporarily suspend additional systems in an abundance of caution. We reactivated and restored our operational systems over the course of the week following the Cybersecurity Incident. In 2023, the Cybersecurity Incident related costs net of an expected insurance receivable totaled $1.0 million. Our system remediation efforts regarding the Cybersecurity Incident were concluded as of December 30, 2023. In the fourth quarter of 2024, we received proceeds from our insurance claim that exceeded the amount recorded as a receivable by $0.6 million. These proceeds represented the cost associated with lost revenue and incremental expenses incurred. 17 | December 28, 2024 Form 10-K As of the date of this report, the Company is not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. In the event of an attack or other intrusion, we have a response team of internal and external resources engaged and prepared to respond. We also maintain cyber liability insurance to help mitigate potential liabilities resulting from cyber issues. We plan to continually invest in efforts to enhance data security in response to developments in the cybersecurity landscape.

Company Information