OLAPLEX HOLDINGS, INC. 10-K Cybersecurity GRC - 2025-03-04

Page last updated on March 4, 2025

OLAPLEX HOLDINGS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-04 16:02:31 EST.

Filings

10-K filed on 2025-03-04

OLAPLEX HOLDINGS, INC. filed a 10-K at 2025-03-04 16:02:31 EST
Accession Number: 0001868726-25-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Information technology supports all aspects of our business, including operations, marketing, sales, order processing, production and distribution networks, retail and Pro customer experience, consumer experience, finance, business intelligence, and product development. We continue to maintain and enhance our information technology systems, cybersecurity infrastructure and customer and consumer experiences in alignment with our long-term business strategy. An increasing portion of our global information technology infrastructure is cloud-based and is built and maintained in partnership with industry-leading service providers. We believe this approach enables a high-performance platform to support current and future requirements and enhances our scale and flexibility to respond to the demands of the business by leveraging advanced and leading-edge technologies. We recognize that technology presents opportunities to build a competitive advantage, and we continue to invest in new capabilities across various aspects of our business. Such efforts, however, subject us to increased cyber risk, as technology investments are subject to cyberattacks, business disruptions and other risks described in “Risk Factors - Risks Related to Information Technology and Cybersecurity” included in Part I. Item 1A of this Annual Report. We have adopted processes designed to identify, assess and manage material risks from cybersecurity threats. As part of the Company’s enterprise risk management process, we conduct a comprehensive annual enterprise risk assessment that includes consideration of cybersecurity risks in conjunction with other Company risks. Our cybersecurity team further evaluates cybersecurity risks and develops risk mitigation response plans. We have established internal policies and procedures for cybersecurity risk management and incident response management that are based on industry standard cybersecurity frameworks, and we provide regular training to our employees regarding evolving cybersecurity threats and risk management. We also maintain cybersecurity insurance coverage that is intended to address certain costs that we may incur in the event that we experience a cybersecurity incident. Our cybersecurity team is primarily responsible for identifying, evaluating and responding to risks from cybersecurity threats. Our cybersecurity team reviews and assesses our cybersecurity profile against internal and external cybersecurity frameworks that are aligned with industry standards on an ongoing basis and conducts ongoing security management internally and through the engagement of third-party vendors and consultants. In addition, our cybersecurity team periodically engages independent third parties to conduct security assessments and internal and external penetration tests. Our cybersecurity team seeks to detect potential cybersecurity incidents through technical safeguards such as automatic detection systems, as well as through our policies and procedures that require internal and external notification of cybersecurity incidents. When a cybersecurity incident occurs, our cybersecurity team implements our incident management procedures and convenes an incident response team consisting of members of our IT team and other company representatives as appropriate based on the nature of the incident. The incident response team determines appropriate containment, eradication and recovery procedures based on the type of incident and recommends any corrective actions to the cybersecurity team following the resolution of the cybersecurity incident. Our cybersecurity incident management procedures also include a framework to assess whether a cybersecurity incident is material and subject to SEC reporting requirements. Such procedures include the involvement of senior members of our cybersecurity team and other senior leaders across various functions. We rely on the information systems of third-party vendors, including our cloud vendors, for various functions of our business, including manufacturing, sourcing, distribution, sales and marketing. We engage a third-party risk management software to oversee and identify the risks from cybersecurity threats associated with relevant vendors, based on the services such vendors provide and the information to which they have access. In addition, as part of our new vendor onboarding procedures, we review proposed new vendors’ cybersecurity and data protection practices and certifications and collaborate with such vendors to align their cybersecurity platforms with our expectations. Although we have experienced cybersecurity incidents in the past, as of the date of this report, we have not identified cybersecurity threats that have materially affected or are reasonably likely to materially affect our operations, business strategy, results of operations or financial condition . Despite our continuing efforts, we may face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect our operations, business strategy, results of operations, or financial condition. For more information, see “Risk Factors - Risks Related to Information Technology and Cybersecurity” included in Part I, Item 1A of this Annual Report. Governance Our Audit Committee assists the Board of Directors in its oversight of our policies, procedures and practices with respect to risk management and mitigation, including risks related to information security, cybersecurity, and data privacy and protection. Company management reviews our enterprise risk assessment with our Audit Committee and our Board of Directors and provides periodic updates with respect to our risk mitigation response plans to our Audit Committee and our Board of Directors. The Audit Committee has delegated oversight of risks related to information security, cybersecurity, and data privacy and protection to its Information Security Subcommittee, which meets at least twice a year with senior members of our cybersecurity team to discuss our cybersecurity profile and related risks, as well as to discuss updates on relevant developments in the cybersecurity threat environment. The Information Security Subcommittee reports to the Audit Committee following each subcommittee meeting, and the Audit Committee reports to our Board of Directors. Pursuant to our incident management procedures, cybersecurity incidents are reported to our Board of Directors, our Audit Committee or its Information Security Subcommittee as appropriate based on the nature of the incident. At the management level, our cybersecurity team is led by the head of our information technology team, who is responsible for assessing and managing material risks from cybersecurity threats, including the prevention, mitigation, detection, and remediation of cybersecurity incidents, and is a member of our incident response team. Our cybersecurity team has relevant academic degrees, multiple certifications, and real-world experience managing cybersecurity incidents and risks. The head of our information technology team has over 20 years of experience in information technology and cybersecurity, including previous employment as the chief information officer of multiple entities. Our broader cybersecurity team includes specialists that collectively have over 50 years of experience in information technology and/or cybersecurity and is supported by independent contractors. Our cybersecurity team works collaboratively to identify, assess and manage cybersecurity incidents and risks and implements and maintains centralized cybersecurity practices in coordination with senior leadership and cross functionally with other teams across the Company.

Company Information