Stagwell Inc - (STGW)

10-K Filing Date: March 11, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy
Our approach to risk management is designed to identify, assess, prioritize and manage major risk exposures, including material risks from cybersecurity threats, that could affect our ability to execute our corporate strategy and fulfill our business objectives. We have implemented, and incorporated into our operations, cybersecurity risk management processes and technologies to protect the integrity, availability and confidentiality of our critical systems and information.

Key aspects of our cybersecurity risk management program include:
Risk assessments designed to identify risks to our systems and information;
An internal security team principally responsible for managing our cybersecurity risk assessment processes, response to cybersecurity incidents, and information technology security controls;
Engaging third-party service providers to assist with network, endpoint and cloud system monitoring;
Monitoring emerging data protection laws and implementing responsive changes to our processes;
Annual cybersecurity awareness training for employees and enhanced cybersecurity management and incident response training for employees involved in systems or processes that handle sensitive data;
Regular audits and tests of our information systems (including review and assessment by independent third-party advisors, who help identify areas for continued focus and improvement);
Regular phishing email simulations for employees and contractors with access to our email systems;
A third-party risk management process for service providers, suppliers and vendors, including those with access to our customer data, employee data, or our systems; and
A cybersecurity incident response plan that includes detailed procedures for responding to cybersecurity incidents, including processes to triage, assess severity, escalate, contain, investigate and remediate cybersecurity incidents, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.

In addition, we maintain insurance to protect against potential losses arising from cybersecurity incidents.

Cybersecurity Governance and Oversight

Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to its Audit Committee oversight of our cybersecurity risk management program. The Audit Committee receives quarterly reports from management on cybersecurity risks, risk assessment and risk management, and discusses those matters with management. In addition, management updates the Audit Committee on cybersecurity incidents. The Audit Committee also receives and discusses quarterly reports from management on the effectiveness of our information technology security controls.

Our information security team, including our Chief Technology Officer and our Senior Vice President Information Security, is responsible for day-to-day identification, assessment and management of the cybersecurity risks we face. The information security team also has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. The leaders of our information security team have over 40 years of combined experience in managing information security, developing cybersecurity strategy and implementing cybersecurity programs. The Chief Technology Officer is informed of and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents through management of the cybersecurity risk management program described above, including our cybersecurity incident response plan. Our incident response plan is also designed, depending on the circumstances, to escalate cybersecurity incidents to other members of management, report cybersecurity incidents to the Audit Committee, and support public disclosure and reporting of material incidents.

Risks from Cybersecurity Threats

Cybersecurity threats and attacks are becoming more sophisticated and pose a risk to our systems and information. While, to date, we have not been subject to cybersecurity incidents that, individually or in the aggregate, have been material to our operations or financial condition, there can be no guarantee that we will not experience such an incident in the future. For more information regarding the cybersecurity-related risks we face, see “Risk Factors - Risks Related to Data Privacy and Cybersecurity.”

38