TOOTSIE ROLL INDUSTRIES INC - (TR)

10-K Filing Date: February 28, 2024

ITEM 1C. Cybersecurity.

Information technology is important to our business operations, and we are committed to protecting the privacy, security and integrity of our data, as well as our employee and customer data. The Company has a cybersecurity program in place for assessing, identifying and managing cybersecurity risks that is designed to protect its systems and data from unauthorized access, use or other security impact. Our cybersecurity risk program is designed to identify, assess, prioritize and mitigate risks across the organization; and to ensure that cyber risks are not viewed in isolation, but are assessed, prioritized and managed in alignment with the Company’s other operational, financial and strategic risk mitigation strategies.

We continuously monitor and update our information technology networks and infrastructure in an effort to prevent, detect, address and mitigate risks associated with unauthorized access, misuse, computer viruses and other events that could have a security impact. We invest in industry standard security technology to protect the Company’s data and business processes against risk of cybersecurity incidents. Our data security program includes identity, trust, vulnerability and threat management business processes, as well as adoption of standard data protection policies. We maintain and periodically test backup systems and disaster recovery. We also have processes in place that are designed to prevent disruptions resulting from our implementation of new software, including software updates, and new systems.

The Company has a comprehensive incident response plan to address cybersecurity incidents. The Company’s incident response plan includes procedures for identifying, containing and responding to cybersecurity incidents and is subject to periodic review and assessment. The Company also engages external parties, including consultants and a computer security firm to facilitate its cybersecurity oversight and assist in our response in the event of a cyber-attack or breach. Further, the Company has procured cyber-insurance that would provide coverage and consulting services in the event of a significant security breach. To date, the Company believes that its cybersecurity program has been effective in protecting the confidentiality and integrity of its information and systems; however, the Company cannot guarantee that its cybersecurity program will be successful in preventing all cybersecurity incidents. In addition, the Company’s cyber insurance may not be sufficient in type or amount to cover claims related to security breaches and cyber-attacks.

The Company has not experienced any material cybersecurity incidents or a series of related unauthorized occurrences for the year ended December 31, 2023, and the Company is not currently aware of any cyber security attacks or breaches that are reasonably likely to materially affect the Company’s business, business strategy, operating results or financial condition. However, as discussed under Item 1A “Risk Factors,” specifically the risks titled

10

“Risk of operational interruptions relating to computer software or hardware failures, including cyber-attacks,” a cybersecurity incident could negatively impact sales and profits. The sophistication of cyber, ransomware and other security threats continues to increase, and the preventative actions we take to reduce the risk of these incidents and protect our systems and information may be insufficient. Accordingly, no matter how well controls are designed and implemented, we will not be able to anticipate all cybersecurity attacks, ransomware and other security breaches and we may not be able to implement effective preventive measures against such security breaches in a timely manner.

The Company’s cybersecurity risk program is supervised by members of our executive team and administered by internal information technology leadership with the assistance of third-party experts, including consultants and a computer security firm. The Audit Committee and the Board of Directors receive periodic reports on the Company’s actions to respond to the cyber security incidents and the overall cyber risk environment. In accordance with our Security Incident Response Plan (“SIRP”), the Audit Committee is to be promptly informed by management of cybersecurity incidents with the potential to have a material impact on the Company, its financial results, or its information systems.

To ensure our employees are educated on potential cybersecurity threats or actions, we train our executive officers and management in the event of a potential cyber threat or cybersecurity incident. Our Company-wide information security training program includes security awareness training, including regular phishing simulations, cyber wellness training and other targeted training and simulations. These programs provide employees the opportunity to gain an understanding and awareness of the various forms of cybersecurity incidents, including how to identify and report any suspicious activity or threat.

11