Item 1C. Cybersecurity

 

Risk Management and Strategy

 

Hecla’s cybersecurity program uses multiple security measures to protect our assets, designed so that if one line of defense is compromised, additional layers exist as a backup in an effort to ensure that threats are stopped along the way. This program actively identifies internal and external threats and protects computer systems from attack, detects known threats and suspicious activity within the network, and supports response and recovery should a cyber incident occur. As part of this program, we engage third party resources to augment monitoring capabilities and review and assess the security program and advise on improvements. Additionally, we conduct a National Institute of Security and Technology (NIST) self-assessment annually to determine overall security program health. Approximately 10% of our corporate information systems technology (“IT”) budget is devoted to security programming, training, and management. Acceptable IT use policies are in place and communicated to employees and contract staff, and periodic training takes place to educate employees on the importance of cybersecurity and steps to be taken to avoid incidents.

 

Any material cybersecurity incident that we become aware of follows our standard guidelines for crisis communications and response, engaging personnel, management, and the board of directors as appropriate. In cases where the materiality of a cybersecurity incident is not immediately apparent, our Vice President, Information Technology (“VP, IT”) would report the incident to his supervisor, our Senior Vice President - Chief Administrative Officer (“CAO”), and to our General Counsel. This is consistent with our overall risk management system which relies, in part, on a “chain of command” reporting system in which supervisors monitor their respective departments and constantly seek feedback from employees or vendors in their department for potentially material events. This system is designed to ensure that information reaches the appropriate levels of the Company, including the Board of Directors. In cases where a question of materiality, public disclosure or legal exposure is in question, our CAO or General Counsel will direct the flow of information to other members of management or the Board as appropriate. Additionally, we have standing weekly senior staff meetings where the President and CEO along with each vice president and occasionally other employees meet for two hours to discuss issues facing the Company. We expect that any cybersecurity incident that our VP, IT believes may be material to the Company will be discussed at these meetings and next steps considered.

 

When a cybersecurity incident is detected, we conduct an impact assessment, determine materiality, and take appropriate actions as described above. This process is also followed when notified that a software/services supplier has a cybersecurity incident.

 

---

There were no material cyber security incidents discovered in 2023. See Item 1A. Risk Factors - We have had losses that could reoccur in the future; Mining accidents or other adverse events at an operation could decrease our anticipated production or otherwise adversely affect our operations; Our operations may be adversely affected by risks and hazards associated with the mining industry that may not be fully covered by insurance; The price of our stock has a history of volatility and could decline in the future; and Our information technology systems may be vulnerable to disruption which could place our systems at risk from data loss, operational failure, or compromise of confidential information.

 

Board and Management Oversight

 

Through the risk management processes identified above, we are confident that any material cybersecurity threats will be brought to the attention to the Board of Directors, either directly or through the Audit Committee which is governed by its charter, including the affirmative responsibility to “periodically review risk assessments from management with respect to cybersecurity, including assessments of the overall threat landscape and related strategies and investments.” One way in which the Audit Committee fulfills that requirement is by receiving regular reports from management on not only known cybersecurity threats or incidents (including related risk assessments), but the landscape more generally, including with respect to known threats, technological advancements, best practices and current events.

 

In addition to the risk management policies described above, our management regularly reviews cyber security planning, including development and management of the program, budgeting, and participation in the incident response plan. The management team involved in this review includes our CEO, CAO, Chief Financial Officer ("CFO"), General Counsel, and the VP, IT. These reviews can also provide topics for discussion at Board and/or Audit Committee meetings.

 

Our VP, IT has a degree in Management Information Systems and over 35 years of experience. The fully staffed department includes resources dedicated to cybersecurity who monitors our threat detection and response tools for any attempted or successful hacks or other incursions into our IT environment, both externally and internally. These are reviewed and mitigated where appropriate, and escalated if necessary, via the processes noted above.