HERSHEY CO - (HSY)
10-K Filing Date: February 20, 2024
Item 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
Information technology is important to our business operations, and we are committed to protecting the privacy, security and integrity of our data, as well as our employee and customer data. The Company has a comprehensive cybersecurity program in place for assessing, identifying and managing cybersecurity risks that is designed to protect its systems and data from unauthorized access, use or other security impact. This program is integrated into the Company’s overall Enterprise Risk Management and Resiliency process.
We continuously monitor and update our information technology networks and infrastructure to prevent, detect, address and mitigate risks associated with unauthorized access, misuse, computer viruses and other events that could have a security impact. We invest in industry standard security technology to protect the Company’s data and business processes against risk of cybersecurity incidents. Our data security management program includes identity, trust, vulnerability and threat management business processes, as well as adoption of standard data protection policies. We measure our data security effectiveness by benchmarking against industry-accepted methods and we work to remediate any significant findings. We maintain and routinely test backup systems and disaster recovery and also have processes in place to prevent disruptions resulting from our implementation of new software and systems.
The Company has a comprehensive incident response plan to address cybersecurity incidents. The Company’s incident response plan includes procedures for identifying, containing and responding to cybersecurity incidents and is subject to regular review and assessment to ensure that it is effective in protecting the Company’s information technology. To date, the Company believes that its cybersecurity program has been effective in protecting the confidentiality, integrity, and availability of its information; however, the Company cannot guarantee that its cybersecurity program will be successful in preventing all cybersecurity incidents. Further, we currently maintain a cyber insurance policy that provides coverage for security breaches; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyber-attacks and other related breaches.
The Company engages external parties, including consultants, computer security firms and risk management and governance experts, to enhance its cybersecurity oversight. In order to oversee and identify risks from cybersecurity threats associated with the Company’s use of third-party service providers, we also have a third-party risk management program designed to help protect against the misuse of information technology by third parties and business partners, which includes certification of our major technology suppliers and any outsourced services through accepted security certification standards.
While we are regularly subject to cybersecurity attacks, ransomware and other security breaches, the Company has not experienced any material cybersecurity incidents or a series of related unauthorized occurrences for the year ended December 31, 2023. The Company does not believe that there are currently any known risks from cybersecurity threats that are reasonably likely to materially affect the Company or its business strategy, results of operations or financial condition. However, as discussed under “Item 1A. Risk Factors,” specifically the risks titled “Disruptions, failures or security breaches of our information technology infrastructure could have a negative impact on our operations,” the sophistication of cyber, ransomware and other security threats continues to increase, and the preventative actions we take to reduce the risk of these incidents and protect our systems and information may be insufficient. Accordingly, no matter how well designed or implemented our controls are, we will not be able to anticipate all cybersecurity attacks, ransomware and other security breaches and we may not be able to implement effective preventive measures against such security breaches in a timely manner.
Cybersecurity Governance and Oversight
The Company’s Board of Directors has a mix of experiences, skills, qualifications and backgrounds to support strategy and risk oversight, including expertise in cybersecurity and oversight of cybersecurity matters. This oversight is achieved through the Company’s Finance and Risk Management (“F&RM”) Committee, which is comprised of five members of our Board of Directors, and one Board member who serves in an ex-officio capacity. The F&RM Committee is responsible for reviewing key enterprise risks identified through our Enterprise Risk Management and
The Hershey Company | 2023 Form 10-K | Page 16 |
Resiliency process, which includes information security strategies and risks, as well as data privacy and protection risks and mitigation strategies (collectively, “Information Security”). At each regularly scheduled F&RM Committee meeting, management, through the Company’s Chief Information Security Officer (“CISO”), reports on Information Security controls, audits, guidelines and developments and the F&RM Committee is notified between such updates regarding significant new cybersecurity threats or incidents.
The CISO, who reports to the Chief Technology Officer (“CTO”), oversees a dedicated Information Security team that is supported by the Privacy Center of Excellence, and works in partnership with internal audit to review certain information technology-related internal controls with our independent auditors as part of the overall internal controls process. Our CTO, who reports to the Chief Executive Officer, has oversight of our Information Security team and leads the company’s global technology strategy, architecting and deploying digital capabilities that are innovative, flexible and prepared to meet the changing needs of our consumers, retail partners and employees.
The CISO’s cybersecurity experience includes over thirty years of Information Technology experience, including twenty years within the Information Security field. The CISO’s Information Security roles have included security engineering, security architecture, strategy development and execution, risk and compliance management and identity and access management and incident response. The Company’s CTO has over twenty years of experience, including deep expertise in developing cutting-edge automated systems, supply chain planning, optimization and simulation, artificial intelligence and predictive analytics. Additional experience held by the CTO is described further under Information about Our Executive Officers.
To ensure our employees are educated on potential cybersecurity threats or actions, we train our executive officers and global workforce on an ongoing basis in the event of a potential cyber threat or cybersecurity incident. Our Company-wide Information Security training program includes security awareness training, including regular phishing simulations, acceptable use training, cyber wellness trainings and other targeted trainings throughout the year. These trainings provide employees the opportunity to gain an understanding of the various forms of cybersecurity incidents and enable our employees to handle and report any suspicious activity or threat.
The Hershey Company | 2023 Form 10-K | Page 17 |