HF Foods Group Inc. 10-K Cybersecurity GRC - 2025-03-17

Page last updated on March 17, 2025

HF Foods Group Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-17 16:46:20 EDT.

Filings

10-K filed on 2025-03-17

HF Foods Group Inc. filed a 10-K at 2025-03-17 16:46:20 EDT
Accession Number: 0001680873-25-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Cybersecurity Risk Management and Strategy The Company assesses, identifies, and manages cybersecurity risks using a risk management program intended to reduce risks to the Company, its employees, customers and stockholders. Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall enterprise risk assessment procedures. Our cybersecurity-specific risk assessment and management procedures help identify cybersecurity threat risks. Our cybersecurity risk assessment program includes the following: - Annual cybersecurity vulnerability and maturity assessments based on the Center for Internet Security (CIS) Critical Security Controls framework. - Annual internal/external penetration testing conducted by a third-party offensive security vendor. A significant cybersecurity incident may result from actions by our employees, suppliers, third-party administrators, or unknown third parties or through cyber-attacks and could affect our data framework or cause a failure to protect the personal information of our customers, suppliers or employees, or sensitive and confidential information regarding our business and 19 could give rise to legal liability and regulatory action under data protection and privacy laws. The Company describes whether and how risks from identified cybersecurity threats have materially affected or are reasonably likely to materially affect the Company under the heading " We rely on technology in our business and any cybersecurity incident, other technology disruption or delay in implementing new technology could negatively affect our business and our relationships with customers ," in Item 1A of this Annual Report on Form 10-K. To date, there have not been any cybersecurity threats or incidents that have materially affected, or are reasonably likely to materially affect, the Company, including its financial condition, results of operations, or business strategies. Governance Our Board of Directors oversees our overall risk management strategy. Our information security program is managed by our Senior Vice President of People and Technology , who has twenty-five years of experience in IT leadership across a variety of industries including manufacturing, distribution, defense, and financial services, whose team is responsible for maintaining our enterprise-wide cybersecurity strategy, policies, standards, architecture and processes. Our program is assessed both internally and externally by third parties, including our virtual Chief Information Security Officer (“vCISO”) partner. Our Senior Vice President of People and Technology provides reports at least quarterly to our Audit Committee, as well as our Disclosure Committee, which comprises senior management and key stakeholders, as appropriate. The reports provided include updates on our cyber risks and threats, and key updates to our information security systems and programs as well as the current threat environment. We also have processes in place to stay informed of and monitor prevention, detection, mitigation, and remediation of cybersecurity risks, including: - Any cybersecurity breach, unauthorized access, data loss, or ransomware attack must be immediately escalated to the Disclosure Committee, General Counsel, Internal Audit, and Audit Committee. - On a quarterly basis, the Disclosure Committee, in coordination with the SVP of People and Technology, Internal Audit, and vCISO, shall assess the Company’s cybersecurity risk exposure, including potential vulnerabilities in IT systems and data security.

Company Information