Quest Resource Holding Corp - (QRHC)
10-K Filing Date: March 12, 2024
Risk Management and Strategy
We support a risk-based cybersecurity program with control alignment to the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”). The core functions of the program are designed to manage cyber-related risks and strengthen the overall cybersecurity posture of our organization.
Annual external cybersecurity and compliance assessments are conducted for the identification, prioritization, and remediation of cyber-related risks to the company’s information systems and data. Ongoing internal risk assessments are conducted to ensure protective and detective security controls perform as expected.
Risk Mitigation
To mitigate identified cyber-related risks to our organization, we employ a multi-layered approach that has been integrated into our overall risk management systems and processes that includes:
Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and we believe are not reasonably likely to affect our company, including our business strategy, results of operations or financial condition. We and our third-party partners have frequently been the target of cybersecurity threats and expect them to continue. For an additional description of these cybersecurity risks and potential related impacts on us, see “Risk Factors - Cyberattacks and security vulnerabilities could lead to increased costs, liability claims, unauthorized access to customer data, or harm to our reputation” in Part I, Item 1A of this Annual Report on Form 10-K.
17
Governance
Cybersecurity is an important part of our risk management processes and an area of focus for our Board of Directors and management team. We have established a cybersecurity governance framework that encompasses policies, procedures, and controls designed to support cybersecurity risk management practices. Our Senior Information Systems Manager is responsible for assessing and managing material risks from cybersecurity threats. This position reports directly to our Senior Vice President of Strategy and Information Technology. In addition, we have retained Virtual Chief Information Security Officer services to support our cybersecurity risk management and governance practices. Such individuals have substantial prior work experience in various roles involving cybersecurity risk management and information technology, including security, compliance, systems and programming, and bring a wealth of expertise in their roles. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy process described above, and report to our Managed Security Services Provider and our Board of Directors on any appropriate items. Our Board of Directors oversees the cybersecurity program and receives program metrics as well as information related to identified cyber-related risks when meeting with the company’s management.
While we continuously invest in cybersecurity controls, we acknowledge the possibility of cybersecurity incidents despite our efforts. These incidents may include unauthorized access, data breaches, ransomware attacks, and service disruptions. We have contracted with a cyber insurance provider, Incident Response provider, and a Managed Security Services Provider to minimize the impact of such events and support prompt detection, containment, and recovery measures.