Hayward Holdings, Inc. - (HAYW)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
Our Board of Directors (the “Board”) recognizes the importance of cybersecurity in today’s digital landscape. We are committed to safeguarding our information systems and data assets. This enables us to maintain the trust and confidence of our customers, clients, business partners and employees. The Board is actively involved in overseeing our risk management program, and cybersecurity represents an important component of our overall approach to risk management. Our cybersecurity processes are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. We seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information we collect and store, including information regarding our customers, suppliers and employees. As part of our risk management program, we actively work to identify, prevent and mitigate cybersecurity threats, and take steps to be prepared to effectively respond to cybersecurity incidents when they occur.
Risk Management and Strategy
We have established a robust cybersecurity governance framework to manage and mitigate risk. Our approach includes:
Maintaining a comprehensive International Organization for Standardization-based Information Security Policy. The Information Security Policy is reviewed and certified by our Vice President of Information Technology.
Inclusion of Sarbanes-Oxley Information Technology General Controls in our Risk and Control Matrix, which are routinely tested by our Internal Audit team.
Regular risk and vulnerability assessments to identify and address potential weaknesses in our systems. We primarily utilize in-house resources for assessing, identifying and managing cybersecurity threats.
Engaging external cyber security firms, as needed, leveraging their expertise as part of our ongoing effort to evaluate and enhance our cybersecurity program. They help with cybersecurity defense capabilities and recommending steps to mitigate associated threats, reduce risk, enhance our cybersecurity posture and meet our evolving needs.
Routine screening of potential and existing third-party vendors to assess their cybersecurity posture and the incremental risk that they may pose to us. Third-party vendor access to critical information systems is subject to regular review and assessment by management, and management evaluates the cybersecurity risks and safeguards of potential third-party vendors prior to engaging such vendors.
Mandatory employee cybersecurity training to equip the employees with the tools and knowledge to enhance the cybersecurity posture across the organization.
Continuous monitoring of networks and systems for suspicious activity; leveraging firewalls; intrusion detection and prevention systems; endpoint anti-virus and anti-malware solutions; and a privileged access management system.
A comprehensive incident response plan, which has been developed to enhance the Company’s ability to respond to, and recover from, cybersecurity incidents.
We engage in the periodic assessment and testing of our processes that are designed to address cybersecurity threats and incidents, including with respect to third-party vendors. The results of such assessments are reported to management and the Board. Adjustments to our cybersecurity processes are made as necessary.
Through the aforementioned processes, we did not identify risks from current or past cybersecurity threats or cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, we face ongoing risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect business strategy, results of operations, or financial condition. See “Risk Factors—We rely on information technology systems to support our business operations. A significant disturbance or breach of our technological infrastructure, or those of our vendors or others with which we
30


do business, could adversely affect our financial condition and results of operations. Additionally, failure to maintain the security of confidential information could damage our reputation and expose us to litigation.”
Governance
The Audit Committee is primarily responsible for overseeing our management of risks arising from cybersecurity threats. The Audit Committee receives quarterly presentations on cybersecurity risks, addressing matters such as evolving standards; vulnerability assessments, including results of third-party penetration testing; audits of our cybersecurity IT controls, and independent reviews of our cybersecurity processes. Management and the Board also receive prompt and timely information regarding any significant or potentially material cybersecurity incident and our remediation efforts.
Our Vice President, Information Technology, in coordination with management, works to implement our program to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents. To facilitate the success of our cybersecurity risk management program, we have assigned dedicated resources, including our Vice President, Information Technology, and members of his team to monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and provide reports to management, the Audit Committee and the Board on a regular basis and as needed in response to specific incidents.
Our Vice President, Information Technology, has served in various roles in information technology and information security for over 20 years, the majority of which has involved leading IT transformation, cybersecurity and compliance programs at public companies. He holds an undergraduate degree in industrial engineering and an MBA and has attained multiple cybersecurity-related certifications including the Certified Information Systems Security Professional.