HELIOS TECHNOLOGIES, INC. 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

HELIOS TECHNOLOGIES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 16:23:04 EST.

Filings

10-K filed on 2025-02-25

HELIOS TECHNOLOGIES, INC. filed a 10-K at 2025-02-25 16:23:04 EST
Accession Number: 0000950170-25-026703

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We assess, identify and manage material risks from cybersecurity threats through various protective policies, procedures and processes. These are embedded into our overall risk management system and extend to risks related to systems hosted by third parties . We utilize external standards, such as the Center for Internet Security framework, as a starting point for the design and development of our systems that assess risk and mitigation measures. Helios is committed to achieving compliance with the CIS implementation group level 2 standards. However, this does not mean that we meet any particular technical standards, specifications, or requirements, but rather we use external standards as a guide to help us identify, assess and manage cybersecurity risks and threats relevant to our business. An annual risk assessment is completed and presented to the executive leadership team and the Company’s Board of Directors. We discuss changes to our policies, procedures and processes needed to address gaps identified through the assessment. We maintain organizational safeguards that include employee training, business continuity planning and cybersecurity insurance. These safeguards are reviewed on an annual basis or more frequently as the business environment warrants and are adjusted as needed to account for changes in the Company and overall risk environment. Cybersecurity training is delivered to employees through a combination of online modules and, where role-specific needs or circumstances warrant, instructor-led classroom sessions. This approach ensures comprehensive training tailored to the requirements of various roles while maintaining flexibility and accessibility. We incorporate technical safeguards such as Multi-Factor Authentication (“MFA”), principles of Zero Trust and password complexity policies for all accounts to help prevent unauthorized access to our systems and data. Additionally, we utilize XDR (Extended Detection and Response) installed on endpoints, along with our Security Operations Center (“SOC”) to manage real-time endpoint protection monitoring. We engage in annual corporate-wide internal and external facing penetration tests, employing a battery of hacking tools to map out our assets and to assess vulnerabilities that could be exploited. In addition, we also extend such testing to newly acquired companies and assets as part of the integration process. This penetration testing is performed by a third party and is used to evaluate our current posture towards cybersecurity threats and to make adjustments, as needed, to protect our systems. The results are reviewed with the executive leadership team and the Company’s ESG Committee of the Board of Directors. We have an Incident Response Policy and related processes that outline steps to be taken in the event of a cybersecurity incident that impacts Helios, our partners and third-party hosted systems. When a cybersecurity incident occurs, the IT team promptly notifies the VP, Information Technology and assesses its potential impact on operations and business continuity. Incidents that pose a potential threat to operations or business continuity are escalated to a cross-functional team comprising the VP, Information Technology, the Chief Financial Officer (CFO), and the General Counsel. This team evaluates the incident’s materiality, considering factors such as the nature, scope, and timing of the event, as well as its potential financial and operational. Based on the evaluation, incidents determined to be material are reported to the ESG Committee. This escalation ensures that the Board of Directors is informed of significant cybersecurity events that could impact the company’s financial health or operations. No risks from cybersecurity threats nor any previous cybersecurity incidents have materially affected or are reasonably likely to materially affect us, in cluding our business strategy, results of operations or financial condition, but we cannot provide any assurance that they will not be materially affected in the future by such risks or incidents. For a discussion of 30 whether and how any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition, see “Risks Relating to Our Business: Other–Increased IT security threats and more sophisticated and targeted computer crime could pose a risk to our systems, networks, products, solutions and services” in Item 1A, Risk Factors. Corporate Governance Role of Management Helios Technologies’ Information Technology organization is led by the VP, Information Technology and is responsible for administration of the cybersecurity and information security framework and risk management, including that of the Corporation and its business units, with oversight by the ESG Committee . Helios’ VP, Information Technology is an active member of InfraGard and has formal education in information technology with over 25-years’ experience in roles involving management of cybersecurity functions, cyber strategy, and leading and collaborating on information systems and related technologies. The VP, Information Technology receives regular updates on cybersecurity developments, results of mitigation efforts and cybersecurity incident response and remediation through monthly Advanced Threat Intelligence briefings and FBI bulletins via Infragard. Helios information systems organization and its management team are responsible for developing and implementing its cybersecurity policies and is comprised of individuals with either formal education in information technology or cybersecurity or relevant experience working in information technology and cybersecurity. Additionally, leaders in Helios’ information technology function receive periodic training and education on cybersecurity related topics including certifications. Role of the Helios Board of Directors The ESG Committee addresses risks related to the global enterprise, including material risks facing the businesses, risks the Company may face in the future, measures that management has employed to address those risks and other information relating to how risk analysis is incorporated into the Company’s corporate strategy and day-to-day business operations. As part of this oversight function, the ESG Committee is responsible for overseeing cybersecurity-related risks. The ESG Committee includes cybersecurity topics in its quarterly updates to the full Board of Directors , which provides further oversight over our cybersecurity-related risks and the Company’s strategies to address such risks. Reports to the Board of Directors and ESG Committee include comprehensive updates on the current cybersecurity risk landscape, the status of ongoing mitigation efforts, and emerging incident trends. Additionally, these reports cover updates on third-party risk assessments, progress on cybersecurity initiatives such as technology upgrades, regulatory compliance measures, and employee training programs .

Company Information