HAWKINS INC - (HWKN)

10-K Filing Date: May 15, 2024
ITEM 1C. CYBERSECURITY

Hawkins is committed to maintaining robust cybersecurity practices to safeguard our operations, data, and stakeholders' interests. We monitor our cybersecurity landscape and adapt our strategies and governance practices to mitigate risks in this rapidly evolving area.

The Company acknowledges that cybersecurity threats present a risk of material adverse impacts on our operations, reputation, and financial condition. Cybersecurity threats are continuously evolving, becoming more sophisticated, and increasing in frequency. For Hawkins, these threats can potentially lead to data breaches, theft of intellectual property, operational disruptions, damage to persons and property, and financial losses. We have a comprehensive cybersecurity risk management strategy designed to promptly identify, assess, and mitigate the risk of occurrence and impact from cybersecurity threats. Despite our efforts, it is not possible to completely identify, prevent or mitigate the impacts of cybersecurity threats.

Cybersecurity Governance

Our Board of Directors is primarily responsible for oversight of risks from cybersecurity threats. Our audit committee is specifically responsible for oversight of cybersecurity risks within the Board of Directors. The audit committee is informed of our cybersecurity risk management practices at regularly scheduled meetings, including:
Our cybersecurity policies and strategies.
Incident response and recovery plans.
Employee training and awareness programs.
Cybersecurity audits and engagement with external cybersecurity experts and advisors on an as-needed basis.

Our Chief Information Officer ("CIO") is responsible for implementing our cybersecurity strategy, developing policies and procedures, and ensuring that appropriate resources are allocated to cybersecurity initiatives. The CIO and senior network and security resources at Hawkins have decades of experience in cybersecurity practices and compliance. The CIO is continually informed about the latest threats and developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is important for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The CIO implements and oversees processes based on the National Institute of Standards and Technology ("NIST") cybersecurity framework and is responsible for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. Management reports at least twice yearly to the audit committee on the status of our cybersecurity efforts, including assessments of significant risks identified and actions designed to mitigate such risks.

Cybersecurity Risk Management and Strategy

Our cybersecurity risk management strategy is a separate component of our overall risk management process and is designed to protect our assets, including information technology systems, data, and operations, from cybersecurity threats. This involves:
Continuous monitoring and assessment of our cybersecurity posture.
Implementation of security measures such as firewalls, intrusion detection systems, and encryption.
Ongoing cybersecurity training and testing of our employees.
Regular cybersecurity assessments and penetration testing.
Vendor risk management to ensure third-party compliance with our cybersecurity standards.

We also maintain an incident response plan ("IRP") that outlines procedures for responding to cybersecurity incidents, minimizing their impact, and communicating with relevant stakeholders, including regulators, customers, and employees. During a cyber incident, our CIO and network security team assess the severity of the incident and notify key management and (if deemed necessary) our audit committee as promptly as practicable. Our incident plan is reviewed annually and updated as appropriate to address evolving threats and our business conditions.

In the normal course of business, we experience cybersecurity threats and attempted breaches of our systems and network. We classify and track these events based on significance and implement remediation actions that we consider appropriate to address the risks relating to such incidents. We have not experienced any cybersecurity incident and the risks presented by cybersecurity threats have not materially impacted our business strategy, results of operations or financial condition. However, even well-designed and implemented cybersecurity programs cannot completely eliminate cybersecurity threats, and we cannot guarantee that such events or material impacts will not occur in the future.
12