Quest Resource Holding Corp - (QRHC)

10-K Filing Date: March 12, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

We support a risk-based cybersecurity program with control alignment to the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”). The core functions of the program are designed to manage cyber-related risks and strengthen the overall cybersecurity posture of our organization.

Annual external cybersecurity and compliance assessments are conducted for the identification, prioritization, and remediation of cyber-related risks to the company’s information systems and data. Ongoing internal risk assessments are conducted to ensure protective and detective security controls perform as expected.

Risk Mitigation

To mitigate identified cyber-related risks to our organization, we employ a multi-layered approach that has been integrated into our overall risk management systems and processes that includes:

Security Controls: We have implemented industry-standard security controls aligned with the NIST CSF framework such as identity and access control, multi-factor authentication, encryption, and data protection measures.
Security Awareness: We conduct regular cybersecurity awareness training to educate employees about potential threats and best practices for safeguarding company assets and data. In addition, we conduct periodic phishing tests to enhance our security awareness program.
Third-Party Oversight: We evaluate third-party partners’ cybersecurity practices through due diligence assessments and contractual obligations. Our risk management program also assesses third party risks, and we perform third-party risk management to identify and mitigate risks from third parties associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers.
Continuous Monitoring: We have partnered with a third-party Managed Security Services Provider to provide event logging, monitoring for detection of cybersecurity events, and assistance with investigations into possible cyber-related events, as well as assessment and consultation on security enhancements.
Business Resiliency: We have developed emergency response, business continuity, and disaster recovery plans to respond to a widespread disruption to business operations.
Continuous Improvement: Any previous cybersecurity incidents, whether material or not, have resulted in improvements in the company’s cybersecurity program, policies, or technical controls, where applicable.

Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and we believe are not reasonably likely to affect our company, including our business strategy, results of operations or financial condition. We and our third-party partners have frequently been the target of cybersecurity threats and expect them to continue. For an additional description of these cybersecurity risks and potential related impacts on us, see “Risk Factors - Cyberattacks and security vulnerabilities could lead to increased costs, liability claims, unauthorized access to customer data, or harm to our reputation” in Part I, Item 1A of this Annual Report on Form 10-K.

17

 


 

Governance

Cybersecurity is an important part of our risk management processes and an area of focus for our Board of Directors and management team. We have established a cybersecurity governance framework that encompasses policies, procedures, and controls designed to support cybersecurity risk management practices. Our Senior Information Systems Manager is responsible for assessing and managing material risks from cybersecurity threats. This position reports directly to our Senior Vice President of Strategy and Information Technology. In addition, we have retained Virtual Chief Information Security Officer services to support our cybersecurity risk management and governance practices. Such individuals have substantial prior work experience in various roles involving cybersecurity risk management and information technology, including security, compliance, systems and programming, and bring a wealth of expertise in their roles. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy process described above, and report to our Managed Security Services Provider and our Board of Directors on any appropriate items. Our Board of Directors oversees the cybersecurity program and receives program metrics as well as information related to identified cyber-related risks when meeting with the company’s management.

While we continuously invest in cybersecurity controls, we acknowledge the possibility of cybersecurity incidents despite our efforts. These incidents may include unauthorized access, data breaches, ransomware attacks, and service disruptions. We have contracted with a cyber insurance provider, Incident Response provider, and a Managed Security Services Provider to minimize the impact of such events and support prompt detection, containment, and recovery measures.