Honest Company, Inc. - (HNST)
10-K Filing Date: March 08, 2024
Item 1C. Cybersecurity
Risk management and strategy
The protection of our systems containing customer information, our brand, and its intellectual property and data is very important to us. We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, customer information, our brand, and confidential information that is proprietary, strategic or competitive in nature (“Information Systems and Data”).
Our Information Security function is overseen by our Vice President of Technology and is supported by our information security team, legal, and various third-party service providers. In doing so, they administer our Enterprise Risk Management Program that identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company’s and industry’s risk profile using various methods including, for example, manual and automated tools, subscribing to reports and services that identify cybersecurity threats, conducting scans of potential threat environments, and conducting vulnerability assessments in order to identify vulnerabilities in our systems. We have developed a Cybersecurity Program that allows us to continuously assess and improve the governance, identification, detection, and response of our critical systems; staying up-to-date with the most innovative technologies.
Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: maintaining a comprehensive incident response plan, conducting risk assessments, encrypting data, maintaining network security controls, access controls, physical security measures, and system monitoring tools, conducting employee training, performing periodic penetration testing, and maintaining cybersecurity insurance.
Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, cybersecurity risk is addressed as a component of the Company’s Enterprise Risk Management Program with our Board of Directors, through the Audit Committee, maintaining oversight of cybersecurity risk management. Our internal security team, in conjunction with our IT Systems and Cybersecurity Manager works with a third-party risk management company to perform an annual security risk assessment across our organization's systems and processes. This consists of an assessment against the latest National Institute of Standards and Technology ("NIST") Cybersecurity Framework ("CSF") 2.0, and its 200+ controls. There is also a business impact analysis involving all the critical business units, and their systems; not limited to information technology.
51
We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including, for example, third-party cybersecurity software providers, managed service providers and penetration testing firms. Additionally, we use third-party service providers to perform a variety of functions throughout our business, such as application providers and hosting companies. We have a vendor management program to manage cybersecurity risks associated with our use of these providers, which includes collecting a security questionnaire and relevant reports from such providers. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including the risk factor titled, “We are increasingly dependent on information technology and our ability to process data in order to operate and sell products, and if we (or our third parties) are unable to protect against software and hardware vulnerabilities, service interruptions, data corruption, cyber-based attacks, ransomware or security breaches, or if we fail to comply with our commitments and assurances regarding the privacy and security of such data, we could experience adverse consequences, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions to our business operations; interruptions in our ability to provide our goods and services exposure to liability; reputational harm; loss of revenue or profits; loss of customers or sales; and other adverse consequences.”
Governance
Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function and the board of directors is responsible for overseeing the Company’s cybersecurity risk management processes, including oversight of mitigation of risks from cybersecurity threats. The Audit Committee of the board of directors is responsible for reviewing the Company's financial reporting of cybersecurity risks and incidents in accordance with SEC rules.
Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Vice President of Technology who has over fifteen years of experience in leading and operating a variety of technology functions including Systems, Infrastructure, Security and Software Engineering and our IT Systems and Cyber Security Manager who has over eight years of experience in designing and implementing secure systems and networks, focused on information and data security.
Our Vice President of Technology and CFO are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our Vice President of Technology and CFO are responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
Our cybersecurity incident response processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our CFO and Vice President of Technology. The CFO and Vice President of Technology work with the IT Systems & Cyber Security Manager to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s incident response processes include reporting to the board of directors certain cybersecurity incidents.
The Audit Committee of the board of directors receives regular reports from the Vice President of Technology concerning the Company’s significant cybersecurity threats and risk and the processes the Company has implemented to address them. The Audit Committee also has access to various reports, summaries or presentations related to cybersecurity threats, risk and mitigation.