Acushnet Holdings Corp. - (GOLF)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
To more effectively prevent, detect and respond to cyber and information security threats, we maintain a global cyber security risk management program designed to identify, assess, and manage material risks from cybersecurity threats. Our risk management program is supervised by a dedicated Senior Director of Cyber & Information Security (the “SDCIS”), who has more than 30 years of experience in cybersecurity and information technology in both private industry and the United States Air Force. The SDCIS is responsible for leading an enterprise-wide cyber security strategy, policy, standards, architecture and processes. The SDCIS reports directly to our Executive Vice President and Chief Technology and Digital Officer (the “CTDO”). For information regarding the relevant expertise and qualifications of our CTDO, see "Information About Our Executive Officers" included in Part I of this report. The cyber risk management program is based on a leading cyber risk controls framework and includes periodic maturity and risk assessments.
Our Board of Directors has established oversight mechanisms to manage risks from cybersecurity threats. The Audit Committee has responsibility for overseeing our cyber and information security program, which institutes and maintains controls for our systems, applications, and databases and for our third-party providers. The Audit Committee receives quarterly updates on the status of the cyber risk management program from the CTDO which include, among other things, a review of a dynamic and emerging cyber threat landscape, security events of note, updates on cyber risks and threats and the status of projects to strengthen and mature our cyber and information security program. Additionally, the SDCIS chairs the Cybersecurity Risk Committee, which seeks to drive awareness, ownership and alignment across broad governance and risk stakeholder groups for enhanced effectiveness of cybersecurity risk management and reporting. Members of senior management also discuss cybersecurity developments with the CTDO and SDCIS between meetings. Top identified cyber risks, metrics and measures of the effectiveness of the cyber risk management program are reviewed quarterly at the Cybersecurity Risk Committee and Company Risk Management Committee. Our Board also receives periodic updates from the CTDO and the SDCIS relating to cyber and information security risks.
We annually engage third parties (as well as our own internal audit department) to audit our cyber and information security programs, processes and controls, and the findings of these parties are reported to the Audit Committee and the full Board. These audits also include annual penetration testing and web application assessments by third parties to test control effectiveness against threat actor attack techniques.
Our processes also address cybersecurity risks associated with our use of third-party service providers. We oversee third-party service providers by conducting vendor diligence upon onboarding and ongoing monitoring. Vendors are assessed for risk based on the nature of their service, access to data and systems and supply chain risk and, based on that assessment, we conduct diligence that may include completing security questionnaires, onsite evaluation, penetration test and policy reviews, and scans or other technical evaluations. We also partner and actively engage with key vendors and industry participants to share intelligence, best practices and benchmarking data with other member organizations of the Retail and Hospitality Information Sharing and Analysis Center, which aims to help its members improve their security posture and resilience against cyber-attacks.
We maintain a Cyber and Data Security Incident Response Plan to more effectively respond to cyber and information security events. Periodically, we conduct a cybersecurity incident response tabletop exercise to test response actions of the Security Incident Response Team, to facilitate group discussions regarding the effectiveness of our cybersecurity incident response strategies and tactics and to update the plan with any lessons learned from the exercise.
Our Security Awareness Program includes training that reinforces cybersecurity risk management policies, standards and practices, as well as the expectation that employees comply with these policies. The Security Awareness Program also trains personnel on how to identify potential cybersecurity risks and protect our resources and information. This training is mandatory for all relevant employees globally on a periodic basis, and it is supplemented by firmwide testing initiatives,
40
including quarterly phishing tests. We provide specialized security training for certain employees such as application developers, human resources and finance teams. Finally, our Global Privacy Program requires all relevant employees to take periodic awareness training on data privacy. This privacy-focused training includes information about the relevant laws, confidentiality and security, as well as how to effectively report and respond to unauthorized access to or use of personal information.
As of the date of this report, we have not experienced a cybersecurity incident that resulted in a material effect on our business strategy, results of operations or financial condition. Despite our continuing efforts, we cannot guarantee that our cybersecurity safeguards will prevent breaches or breakdowns of our or our third-party service providers’ information technology systems, particularly in the face of continually evolving cybersecurity threats and increasingly sophisticated threat actors. For more information about the cybersecurity risks we face, see the risk factor in Item 1A entitled "We rely on complex information systems for management of our manufacturing, distribution, sales and other functions. If our information systems fail to perform these functions adequately or if we experience an interruption in our operations, including a breach in cybersecurity, our business, financial condition and results of operations could be materially adversely affected."
41