HASBRO, INC. - (HAS)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity.
We have an in-depth approach to monitoring and addressing cybersecurity risk. Members of management together with our Board, the Cybersecurity and Data Privacy Committee of the Board(the "Cybersecurity Committee"), our internal Cybersecurity and Data Privacy Steering Committee (a cross-functional team which includes members of our Executive Leadership Team), and the Enterprise Risk Management team (a task force comprised of senior representatives of the company assessing risk in the organization), have developed cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner.
Our cybersecurity program leverages various industry standards like the National Institute of Standards and Technology ("NIST") and Center for Internet Security Program framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation. Our enterprise risk management team reviews cybersecurity risks, and key cybersecurity risks are incorporated into the enterprise risk management ("ERM") reports reviewed and discussed internally and with the Board. In addition, we have several avenues to gather risk intelligence, and potential threats identified by various services and capabilities to adjust our security strategy. We also have a set of Company-wide policies and procedures concerning cybersecurity and technology standards, which include a Technology Use policy, as well as other policies that directly or indirectly relate to cybersecurity, such as policies related to endpoint and network protection, encryption standards, malware/ransomware protection, remote access, multi-factor authentication,
38

Table of Contents
confidential information and the use of the internet, social media, email and wireless devices. These policies go through an internal review process and are approved by appropriate members of management.
The Company’s Chief Information Security Officer (“CISO”) is responsible for developing and implementing our information security program and reporting quarterly on cybersecurity matters to the Cybersecurity and Data Privacy Steering Committee, as well as to the Board and the Cybersecurity Committee. Our Chief Information Officer is an Executive Sponsor of the Cyber Security Program, has over two decade of experience leading cyber security oversight, and others on our cyber security team have cybersecurity experience and certifications, such as the Certified Information Systems Security Professional, or other industry leading certifications.
We have invested in IT security, including additional end-user training, using layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting, and engaging experts. We regularly test defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing our operational policies and procedures with third-party experts. At the management level, our IT security team regularly monitors alerts and meets to discuss threat levels, trends and remediation. The team also prepares a cyber scorecard, regularly collects data on cybersecurity threats and risk areas and conducts an annual risk assessment. Further, we conduct periodic external penetration tests, red team testing and maturity testing to assess our processes and procedures and the threat landscape. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, vendors, and intellectual property. In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with use of third-party vendors and service providers. The internal business owners of the hosted applications are required to document user access reviews at least annually and provide from the vendor a System and Organization Controls ("SOC") 1 or SOC 2 report. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and assess our relationship on that basis. Our assessment of risks associated with use of third-party providers is part of our overall cybersecurity risk management framework.
The Cybersecurity Committee and the full Board actively participate in discussions with management and amongst themselves regarding cybersecurity risks. The Cybersecurity Committee meets regularly during the year and discusses cyber-related industry events, critical cyber incidents, alignment with our information security framework, threat assessment, security capabilities, response readiness and training efforts. A third-party cyber security firm also advises the Cybersecurity Committee on cybersecurity threats, trends in the industry, and best practices. This third party also evaluates and assesses our programs. The Cybersecurity Committee conducts an ongoing review of the Company’s cybersecurity program, which includes discussion of management’s actions to identify and detect threats, planned actions in the event of a response or recovery situation, as well as a review of recent enhancements to the Company’s security detection and response capabilities, and management’s progress on its cybersecurity strategic roadmap. The Cybersecurity team also subscribes various threat intelligence services to evaluate our security strategy or defense mechanism against such threats.
The Board receives regular updates from the Cybersecurity Committee, including a summary of key performance indicators, test results and related remediation, and recent threats and how the Company is managing those threats. To aid the Board with its cybersecurity and data privacy oversight responsibilities, the Board periodically hosts experts for presentations on these topics.
We face a number of cybersecurity risks in connection with our business. During the past three years we have not suffered a material breach or a reportable incident, and cybersecurity risks (including breach of third parties with whom we work) have not materially affected us, including our business strategy, results of operations or financial condition. For more information about the cybersecurity risks we face, see Item 1A. Risk Factors.
39

Table of Contents