BGSF, INC. - (BGSF)
10-K Filing Date: March 15, 2024
ITEM 1C. CYBERSECURITY.
Our broader information security program aims to secure our systems, keep our business running, and protect our client partners, field talent, team members, and shareholders from vulnerabilities and threats by protecting against, detecting, and recovering from cybersecurity incidents. With oversight from our Board, the Audit Committee, and management, we have put proactive measures and systems in place in an effort to protect our information assets from unauthorized use or access. Our cybersecurity framework is based on the National Institute of Standards and Technology (“NIST”).
Management Oversight
Our CIO and key members of senior management are accountable for our cybersecurity and data privacy programs and is supported by the Board of the Directors (the “Board”). Our CIO has extensive information technology and program management experience and has served many years in our corporate information security organization. Under the guidance of the Board, the CIO manages day-to-day operations of the security and data privacy functions and proposes changes to our cybersecurity strategy, which is part of our overall information technology strategy. The CIO and the Board meet frequently to discuss cyber and data operations, privacy programs and risks.
Our IT department monitors and manages system infrastructure in an effort to protect us against threats. Our cybersecurity process considers risks from many sources including, but not limited to, alerts, threat intelligence sources, risk assessments, and vulnerability management. Our cybersecurity process includes a risk assessment procedure, a risk evaluation procedure, and a third-party partner to strengthen our cybersecurity controls. These controls are designed to block and/or provide alerts on suspicious activities. Our security team responds as appropriate to risks identified.
Board Oversight
The Board is actively engaged in the oversight of cybersecurity and data privacy. On a quarterly basis, the Board receives updates on (a) our progress on security improvement objectives, (b) relevant reported cybersecurity internal incidents and the global evolving risks, and (c) results of work performed by our third-party information security partner. We engage subject matter experts in conducting independent assessments of our cybersecurity program maturity, penetration tests, and other tests and assessments.
Third-Party Vendor Management
Many of our information technology systems and networks are cloud-based or managed by third parties, whose future performance and reliability we cannot control. The risk of a cyberattack or security breach on a third party carries the same risks to us as those associated with our internal systems. We seek to reduce these risks by performing significant vendor due diligence procedures prior to engaging with any third-party vendor who will have access to sensitive data. Additionally, we require annual audits of certain third parties’ information technology processes.
We face risks from cybersecurity threats that could have a material adverse effect on our business strategy. See “Risks Related to Our Information Technology, Cybersecurity and Data Protection” in Part 1, Item 1A. Risk Factors of this report for a discussion of these risks. With respect to our cybersecurity process, we are not aware of any material breach to date.