TELOS CORP - (TLS)

10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity
Company’s processes to assess, identify, and manage material cybersecurity risks
We have developed an ISO/IEC 27001-certified Information Security Management System (“ISMS”) designed to enhance our corporate security measures, identify and mitigate information security risks, and protect and preserve the confidentiality, integrity, and continued availability of all information owned by the Company and that of its customers and suppliers in our control. Our ISO certification can be verified on the BSI Group website using certificate number IS 64920.
Our ISMS includes developing, implementing, and continually improving policies and procedures designed to safeguard information and ensure the availability of critical data and systems. These policies cover areas such as requiring secure coding practices and a secure development lifecycle process, monthly information security awareness training for all employees and enhanced training for specialized personnel, review and assessment by external, independent third parties, who certify and report on our weaknesses and internal response preparedness for the entire Company, and the performance of daily vulnerability scanning of our network infrastructure as well as annual third-party penetration testing.
Our cybersecurity risk assessment, identification, and management process consists of a dedicated Governance Risk and Compliance ("GRC") team, within our Information Security organization, that implements a repeatable, ISO/IEC 27001-compliant methodology to asses and track cybersecurity risk. This team, reporting to and working with the Chief Information Security Officer ("CISO"), identifies, tracks, and updates cybersecurity risks that threaten the Company directly and through third parties. The GRC team collaborates closely with risk owners throughout the Company, vendors, and suppliers, working with them in an effort to ensure their risks are identified, documented, and mitigated in a timely fashion.
In addition to our active ISO/IEC 27001 certification, the Company also assesses itself against the National Institute of Standards and Technology Special Publication 800-171 as required by the Defense Federal Acquisition Regulation Supplement. In accordance with our ISMS, we also actively monitor known threats that could affect our products and services and work with our suppliers to provide us with real-time reports of threats or vulnerabilities that may affect our enterprise-wide systems. Our program also includes a cyber incident response plan that provides controls and procedures for timely and accurate reporting of any material cybersecurity incident as well as a business continuity plan that is designed to provide a clear framework for how the Company can continue in the event of any significant disruption in an effort to ensure that we can offer the same level of security, support, and excellence to all our customers. In the normal course, our Security and GRC teams engage assessors, consultants, and other third parties to assist in various cyber-related matters. For example, to maintain our ISO certification, the Company utilizes an external third party to conduct yearly audits of its ISMS. Our Information Security organization also leverages third-party advisors, as appropriate, for various tasks such as conducting annual third-party penetration testing.
In 2023, we conducted an enterprise risk assessment that included an assessment of cybersecurity risk in context with other enterprise-level risks. Furthermore, our CISO and our General Counsel regularly discuss cybersecurity risk mitigation. We carry errors and omissions insurance that provides some protection against the potential losses arising from a cybersecurity incident. For additional information regarding potential cybersecurity risks, see relevant business and operational risks under Item 1A, "Risk Factors", of this Annual Report on Form 10-K.
In the last three years, we have not experienced a material information security breach incident or any penalties or settlements related to the same, and the expenses we have incurred from information security breach incidents were immaterial.
Management’s role and expertise in assessing and managing material cybersecurity risks
Our Information Security team is charged with the responsibility for assessing and managing material cybersecurity risks. That team is led by our CISO. Certifications held by the Information Security team include CompTIA A+, Network+, Security+, Project+, & CyberSecurity Analyst+, eLearnSecurity Junior Penetration Tester, EC-Council Certified Ethical Hacker ("CEH"), Certified Encryption Specialist, Certified Security Analyst, & Computer Hacking Forensic Investigator ("CHFI"), CMMC-AB Registered Practitioner ("RP"), and ISC2 Certified Information Systems Security Professional ("CISSP"). Our CISO’s background includes over 17 years of experience in IT and Information Security. His formal education includes a Master’s degree in Cybersecurity and Information Assurance and a Bachelor’s degree in Computer Forensics. Certifications held by the CISO include CompTIA A+, Network+, & Security+, Microsoft Technology Associate ("MTA"), CMMC-AB RP, ISO 27001 Certified Lead Implementer Professional, EC-Council CEH & CHFI, ISACA Certified Data Privacy Solutions Engineer & Certified Information Security Manager, ISC2 CISSP, and Offensive Security Certified Professional. Our CISO reports to our Chief Information Technology Officer ("CITO"), who in turn reports to our Chief Executive Officer ("CEO"). Each of our CITO and our CEO have extensive experience in cybersecurity matters.
26

Our CISO provides reports to the Audit Committee of our Board of Directors on a standing basis at each Audit Committee meeting, and as otherwise requested by the Chair of the Audit Committee or as determined necessary by the CISO or other members of senior management. The CISO is personally involved in, and responsible for, the risk assessment, identification and management process described above.
Board of Director’s oversight of cybersecurity risks
The Board of Directors has oversight responsibility with respect to risk management and reviews matters with management as part of management’s regular Board reporting. The Board of Directors has delegated responsibility for information security and cybersecurity risk oversight to the Audit Committee. In accordance with its charter, the Audit Committee discharges these responsibilities through various processes, including the option to use third party advisers as and when it deems appropriate, and discusses with management the Company’s major policies with respect to risk assessment and risk management. The Audit Committee regularly reports the results of these discussions to the Board of Directors. As noted above, the CISO reports to the Audit Committee at each regular Audit Committee meeting on the status of cybersecurity risk assessment, identification and management, as well as reporting information security incidents as they occur, if material, and providing periodic briefings about our information security program, our internal response preparedness, and assessments led by outside advisors. The Chair of the Audit Committee, in turn, reports on these topics to the Board of Directors as and when deemed necessary and/or material. Overall, our Board contains two directors with work experience related to cybersecurity issues or oversight.