STAR EQUITY HOLDINGS, INC. - (STRR)
10-K Filing Date: March 22, 2024
ITEM 1C.CYBERSECURITY
Risk Management and Strategy
We identify and address cybersecurity threats and risks related to our business using an interdisciplinary approach that includes assessments primarily by our management, IT team and legal department. To defend against, detect and respond to cybersecurity incidents, we employ a multi-layered approach that has been integrated into our overall risk management systems and processes which includes, among other things: conducting proactive privacy and cybersecurity reviews of systems and applications, auditing applicable data policies, conducting employee training, monitoring emerging laws and regulations related to data protection and information security and continuously improving controls and implementing appropriate changes. The cybersecurity-control principles that form the basis of our cybersecurity program are informed by the National Institute of Standards and Technology Cybersecurity Framework. Our management performs an annual review of third-party service providers’ SOC reports to verify appropriate controls are in place.
In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our ongoing efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. Please refer to the risk factor titled “We rely on information technology in our operations, and any material failure, inadequacy, interruption or security failure of that technology could materially harm our business.” in “Risk Factors” in Part I, Item 1A of this Form 10-K for more information on the risks posed to us by cybersecurity threats.
Cybersecurity Governance
Cybersecurity is an important part of our risk management processes and is an area of focus for our board of directors and management. Our board of directors, as a whole, has oversight responsibility for our strategic and operational risks, and ensures that appropriate risk mitigation strategies are implemented by management. Our audit committee assists the board of directors with this responsibility by periodically reviewing and discussing our risk assessment and risk management practices, including cybersecurity risks, with members of our management team, which is responsible for the assessment and management of cybersecurity risks.
In addition, we have retained an external consultant to serve as our internal audit function and to support our cybersecurity risk management and governance practices. Our consultant has substantial experience in cybersecurity risk management and information technology, including security, compliance, systems and programming and reports to our audit committee and our board of directors on any appropriate items.