HELIOS TECHNOLOGIES, INC. - (HLIO)

10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

We assess, identify and manage material risks from cybersecurity threats through various protective policies, procedures and processes. These are embedded into our overall risk management system and extend to risks related to systems hosted by third parties.

We utilize external standards, such as the Center for Internet Security framework as a starting point for the design and development of our systems that assess risk and mitigation measures. An annual risk assessment is completed and presented to the executive leadership team and the Company’s Board of Directors. We discuss changes to our policies, procedures and processes needed to address gaps identified through the assessment.

We maintain organizational safeguards that include employee training, business continuity planning and cybersecurity insurance. These safeguards are reviewed on an annual basis or more frequently as the business environment warrants and are adjusted as needed to account for changes in the Company and overall risk environment. Cybersecurity training is provided to employees through both online and classroom instructor led trainings.

We incorporate technical safeguards such as Multi-Factor Authentication (“MFA”), principles of Zero Trust and password complexity policies for all accounts to help prevent unauthorized access to our systems and data. We also operate a Security Operations Center (“SOC”) to manage our real-time end point protection monitoring.

We engage in annual corporate-wide internal and external facing penetration tests, employing a battery of hacking tools to map out our assets and to assess vulnerabilities that could be exploited. In addition, we also extend such testing to newly acquired companies and assets as part of the integration process. This penetration testing is performed by a third party and is used to evaluate our current posture towards IT security threats and to make adjustments, as needed, to protect our systems. The results are reviewed with the executive leadership team and the Company’s Board of Directors.

We have an Incident Response Policy and related processes that outline steps to be taken in the event of a cybersecurity incident across Helios, our partners and third-party hosted systems. All incidents are reported to the Global Head of Information Technology who then reviews significant incidents with a cross-functional working group, inclusive of the Company CFO and General Counsel, to assess the materiality or potential materiality. An Incident Response Team that will determine response actions to be taken and coordinate all necessary communications is formed when an incident is deemed material or potentially material.

No risks from IT security threats nor any previous IT security incidents have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, but we cannot provide any assurance that they will not be materially affected in the future by such risks or incidents. For a discussion of whether and how any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition, see “Risks Relating to Our Business: Other––Increased IT security threats and more sophisticated and targeted computer crime could pose a risk to our systems, networks, products, solutions and services” in Item 1A, Risk Factors.

30

 


 

Corporate Governance

Role of Management

Helios Technologies, Information Systems organization is led by the Global Head of Information Technology and is responsible for administration of the cybersecurity and information security framework and risk management, including that of the Corporation, with oversight by the ESG Committee.

Helios’ Global Head of Information technology is an active member of InfraGard and has formal education in information technology with over 25-years’ experience in roles involving management of cybersecurity functions, cyber strategy, and leading and collaborating on information systems and related technologies. The Global Head of Information Technology receives regular updates on cybersecurity developments, results of mitigation efforts and cybersecurity incident response and remediation.

Helios IT management is responsible for developing and implementing its cybersecurity policies and is comprised of individuals with either formal education in information technology or cybersecurity or have relevant experience working in information technology and cybersecurity. Additionally, leaders in Helios’ information technology function receive periodic training and education on cybersecurity related topics including certifications.

Role of the Helios Board

The ESG Committee addresses risks related to the global enterprise, including material risks facing the businesses, risks the Company may face in the future, measures that management has employed to address those risks and other information relating to how risk analysis is incorporated into the Company’s corporate strategy and day-to-day business operations. As part of this oversight function, the ESG Committee is responsible for overseeing cybersecurity-related risks. The ESG Committee includes cybersecurity topics in its quarterly updates to the full Board, which provides further oversight over our cybersecurity-related risks and the Company's strategies to address such risks.