Latham Group, Inc. - (SWIM)
10-K Filing Date: March 13, 2024
Item 1C. Cybersecurity
Information technology supports several aspects of our business, including among others, product ordering and fulfillment, pricing, customer service, transaction processing, financial reporting, collections, and cost management. Further, our business operations rely on the secure collection, storage, transmission, and other processing of proprietary, confidential, and sensitive data of the Company and third parties.
Risk Management and Strategy
We assess, identify and manage the material risks associated with cybersecurity threats as part of our enterprise risk management (“ERM”) program addressing our strategic, operational, compliance and financial risks across the organization. Our ERM program includes feedback from senior management and certain functional leaders. Each high-level risk is assigned to a member of senior management as the risk owner for oversight, with the risk owner developing a risk mitigation plan that is tracked to completion.
We have prioritized cybersecurity risks and made investments of time and resources in recent years to mitigate this risk area. We have implemented and maintain various technical, physical, and organizational measures, processes, standards, and/or policies designed to manage and mitigate material risks from cybersecurity threats to our information systems and data. Our risk mitigation steps include engagements with third-party service providers with expertise in cybersecurity that assist us in assessing risk, including vulnerability assessments and penetration testing, and the implementation of risk mitigation measures. We have implemented firewalls (including encryption of data, network security controls, access controls and physical security) across all of our locations and invested in intrusion detection and protection systems, email filtering and systems to mitigate the risk of phishing attacks. We maintain a managed detection and response system and a security operations center that operates 24 hours per day, 7 days per week. Further, we have prepared an incident response plan to activate in the event of a cybersecurity event, including to respond to any such incident, define and seek to control the extent of the incident (including using an escalation framework based on the materiality of incidents), assess and take reasonable actions intended to remediate any damage caused, and implement measures designed to prevent future reoccurrences. We also have developed a disaster recovery and business continuity plan that provides for reduced downtime and data loss in the event of a security breach. The incident response team also leads simulation exercises to evaluate the effectiveness of such plan.
As we have increased our remote workforce in recent years, our management has focused on the Company enhancing the security of remote access with trusted devices, endpoint security controls and infrastructure resiliency. As part of this process, we enhanced our security incident response procedures to address risks specific to remote working conditions.
Third-party service providers, such as distributors, subcontractors, vendors, and data processors have access to certain portions of our data in supporting various operating business functions. We have an onboarding and periodic security review process of all third party vendors who have or will have access to our confidential information. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, contractually imposing obligations on the provider, conducting security assessments, and conducting periodic reassessments during their engagement.
As with most companies, we have experienced cyber-attacks, attempts to breach our systems and other similar incidents. However, risks from cybersecurity threats, including from prior cyber incidents, have not materially affected, or are not reasonably likely to materially affect, our Company, including our business strategy, results of operations or financial condition in 2023 and recent years We carry cyber risk insurance that provides protection against a breach or other data security incident, but such insurance may not be sufficient, and any related insurance proceeds may not be timely paid to us. See “Risk Factors — Risks Related to Our Operations and Industry — We rely on information technology systems to support our business operations. A significant disturbance or breach of our technological infrastructure could adversely affect our financial condition and results of operations. Additionally, failure to maintain the security of confidential information could damage our reputation and expose us to litigation,” for additional discussion about cybersecurity-related risks.
33
Governance Oversight
Our Board of Directors oversees the Company’s cybersecurity program by receiving quarterly reports (or more often, if necessary) from management on potential threats (including emerging risks) and any incidents, and the measures we have taken to prevent and to mitigate the impact of cyber attacks on our systems. Our management presenters includes our Chief Executive Officer and our combined Chief Information Officer and Chief Information Security Officer (our “CIO/CISO”). Our Board also reviews the efficacy of our cybersecurity program, the status of key information security initiatives, and approves, as appropriate, reasonable investments to enhance the protection of our information technology systems.
Our executive leadership team, which includes our Chief Executive Officer and CIO/CISO, manages the Company’s efforts to address cybersecurity threats by receiving weekly reports from our CIO/CISO on potential threats, mitigation steps, the sufficiency of cybersecurity resources (including personnel, third party resources, hardware and software), and employee training and communications. Our CIO/CISO is a direct report of our Chief Executive Officer Our CIO/CISO has 25 years of experience, including serving in similar roles leading and overseeing cybersecurity and information technology programs. He has the following educational qualifications in the cybersecurity field: a Master’s degree in Information Management, a Bachelor’s degree in Computer Engineering and a degree in electronics and telecommunications engineering. He also has been certified in matters relevant to cybersecurity risk management as follows: certified information systems auditor (CISA); certified information systems security professional (CISSP); certified data privacy solutions professional (CDPSE); and certified in risk information systems and controls (CRISC). IT team members that support our CIO/CISO and our information security program have relevant educational and industry experience. Our executive leadership team further includes several executives with prior experience in information technology systems, including potential cybersecurity, data privacy regulation, enterprise risk management, assessment and auditing of internal controls related to data security.
Our incident response plan is led by our CIO/CISO and includes a multidisciplinary team, including members of our IT security function, executive management of our legal, finance, human resources, corporate communications and internal audit/risk functions.
34