KLDiscovery Inc. - (KLDI)
10-K Filing Date: March 28, 2024
To meet our business objectives, we rely on both internal information technology (IT) systems and networks, and those of third parties and their vendors, to process and store sensitive data, including confidential research, business plans, financial information, intellectual property, and personal data of ours and our customers that may be subject to legal protection, and promote the continuity of our Company’s supply chain. In the ordinary course of our business, we receive, process, use, store, and share digitally large amounts of data, including user data as well as confidential, sensitive, proprietary, and personal information.
Maintaining the integrity and availability of our IT systems and this information, as well as appropriate limitations on access and confidentiality of such information, is important to our operations and business strategy. To this end, we have implemented an Information Security Management System (ISMS) within which cybersecurity and risk management strategies are an integral part. The ISMS Committee, which is comprised of companywide and IT department senior management, creates and manages the processes, policies, and procedures for managing the overall security of the organization. The ISMS includes a risk management program designed to assess, identify, track, treat, manage and prevent strategic and operational risks that may impact our company’s business model or operations with a focus on information security, including but not limited to cybersecurity risk, physical security risk, liability risk, innovative risk, competitive risk, and other potential unauthorized occurrences on or through our
54
IT systems that may result in adverse effects on the confidentiality, integrity, and availability of these systems and the data residing therein. The Risk Subcommittee, a subcommittee of the ISMS Committee, comprised of IT and Information Security senior leadership, maintains a risk register of cybersecurity risks that are regularly monitored and meets once a month to discuss remediation plans and treatment progress for existing risks. New potential risks are submitted to the Risk Subcommittee as they are identified by personnel from across the Company, including executive leadership, managers, directors, analysts, and others. In compliance with our Risk Management Standard and Process policy, new potential risks are evaluated by the Risk Subcommittee to determine whether each risk is to be added to the risk register and analyzed for treatment. The Risk Subcommittee invites subject matter experts from across the Company to participate in remediation planning and treatment progress reporting sessions as part of the monthly Risk Subcommittee meetings. Members of the ISMS committee and the Risk Subcommittee report directly to the Chief Executive Officer who, in turn, reports to our Board. Our ISMS is informed by internationally recognized standards and is vetted and validated annually by external advisors or consultants.
We engage and consult with external assessors and consultants, on a regular basis, to evaluate our cybersecurity processes, including to anticipate future threats and trends, and their impact on the Company’s risk environment. We have implemented a robust information security internal and external audit program that operates throughout the year. Our environment is tested annually against internationally recognized standards as well as locally (domestic) applicable standards. Findings and opportunities for improvement that result from such external audits are remediated to help our security posture remain current. Prior to and/or periodically throughout and engagement, we work closely with our clients and vendors on various security assessments that test our processes compliance with contractual requirements. We have also engaged a third-party vendor to conduct regular employee trainings on cyber and information security, among other topics.
We have established a Third Party Vendor Management program to oversee and identify material risks arising from cybersecurity threats associated with our use of third-party service providers. Our Third Party Vendor Management program includes a vendor risk assessment that is designed to ensure third parties engaged by us are monitored for suitability, sustainability, risk, performance of regulatory/contractual requirements and, upon reassessment, the continual ability to perform or outperform such evaluations. Risks associated with cybersecurity threats identified during the vendor risk assessment may be submitted to the Risk Subcommittee for evaluation and analysis. Informed by an internationally recognized information technology (IT) risk management standard and framework, we identify, analyze, evaluate, and remediate/treat information and cybersecurity related risks, and risks posed by third-party providers throughout the year in addition to the annual external audits and various client assessments we undergo.
We maintain a threat intelligence program that drives informed decision making and strategy development within our organization’s Information Security Program. The threat intelligence program includes the review of cybersecurity incidents including root-causes-analysis and the deployment of tools and technologies to help prevent future incidents from occurring. Risks associated with cybersecurity threats are evaluated as part of our Risk Management process to determine, among other things, if the risks will materially affect our ability to adequately secure client data throughout the engagement. When deemed appropriate, business strategies are re-evaluated with risk from cybersecurity threats taken into consideration.
Our Board of Directors exercises oversight of the most significant cybersecurity risks, and for our processes to identify, prioritize, assess, manage, and mitigate those risks, through the review of Information Security reports presented by the Executive Vice President of Global IT and eDiscovery Operations, who has over 20 years of industry experience, and the Vice President and Chief Information Security Officer, who has over 20 years of industry experience and holds a wide array of industry certifications. We consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management framework. When and where applicable, the Board of Directors provides input regarding the ISMS in response to the information security reports and as part of their corporate oversight responsibilities. The Board of Directors’ input is leveraged by Senior Information Security leadership as they evaluate and develop plans for continuous improvements of our ISMS to
55
address an evolving landscape of cybersecurity threats. The execution of the Information Security Management System is the responsibility of our Senior Information leadership and the Information Security team.
Our risk management program is led by senior management who meet regularly to assess, analyze, evaluate, propose, and approve treatment and or remediation projects for identified information technology risks (including cybersecurity risks and vulnerabilities). Our Executive Vice President of Global IT and eDiscovery Operations, who is a member of the Risk Subcommittee, reports to our Board of Directors via our Chief Executive Officer. Our Vice President and Chief Information Security Officer (VP, CISO) is responsible for the identification of cybersecurity risks and the performance of vulnerabilities assessments. Risks and vulnerabilities are assigned to key stakeholders and senior management staff who possess the technical know-how to own these identified risks and vulnerabilities. In accordance with this process, the VP, CISO collaborates and works closely with risk owners to ensure the timely remediation and treatment of risks and vulnerabilities.
As of December 31, 2023, we have not identified any risks from known cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, we face certain ongoing cybersecurity threats that, if realized, are reasonably likely to materially affect us. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, “Risk Factors,” under the heading “Privacy and Cybersecurity Risks.”