Heritage Global Inc. - (HGBL)
10-K Filing Date: March 14, 2024
We place a high priority on securing confidential business information and the personal information we receive and store about our customers and employees. Our cybersecurity risk management is based on recognized cybersecurity industry frameworks and standards, including those of the National Institute of Standards and Technology, which we use, together with information collected from internal assessments, to develop policies for use of our information assets (for example, mobile phones and personal computers) and protection of personal information. We protect these information assets through techniques such as multifactor authentication and malware defenses. We also work with internal stakeholders across the company to integrate foundational cybersecurity principles throughout our organization’s operations, including restricting access to information based on business need. We utilize an established, nationally recognized cloud-services provider to maintain and manage our data with the exception of certain highly sensitive information, which we maintain in separate designated systems with enhanced security controls. In addition, we contract a third-party IT consultant with over twenty years of experience, who manages the core information technology functions of the business including coordinating with our cloud-services provider, implementing new processes, monitoring of our network for cyber threats, and other information technology administrative responsibilities. Throughout the year, we train our employees on cybersecurity awareness, confidential information protection and perform simulated phishing attacks. In addition to the processes, technologies, and controls that we have in place to reduce the likelihood of a material cybersecurity incident (or series of related cybersecurity incidents), we have developed a written incident response plan outlining how to address cybersecurity events that occur. The plan sets forth the steps for coordination among various corporate functions and governance groups and serves as a framework for the execution of responsibilities across businesses and operational roles. The incident response plan is designed to help us coordinate actions to prepare for, detect, respond to and recover from cybersecurity incidents, and includes processes to triage, assess severity, escalate, contain, investigate, and remediate the incident, as well as to assess the need for disclosure and comply with applicable legal obligations. We also maintain insurance coverage that, subject to its terms and conditions, is intended to help us cover certain costs associated with cybersecurity incidents and information system failures. To date, we have not experienced a material cybersecurity or information security breach.
Oversight responsibility in this area is shared by management, the Board, and its Corporate Governance Committee. To prevent, detect and respond to information security threats more effectively, the Company has established a Management Cybersecurity Committee (MCC) consisting of the Chief Financial Officer, the Executive Vice President, General Counsel and Secretary, the Chief Marketing Officer, business unit leaders, the third-party IT consultant, and other internal and external IT resources. The MCC regularly reports to the Corporate Governance Committee, which in turn reports to the Audit Committee and the Board. The Board also receives an annual update from our senior leadership on cybersecurity and information security matters. The Corporate Governance Committee regularly briefs the Board on these matters, and the Board also receives periodic briefings on cyber threats to enhance our directors’ awareness on cybersecurity and information security issues.