Information Services Group Inc. - (III)

10-K Filing Date: March 08, 2024
Item 1C. Cybersecurity

ISG maintains a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. This program is integrated within the Company’s enterprise risk management system and addresses both the corporate information technology environment and the Company’s client-facing products. We regularly assess the threat landscape, taking a holistic view of cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K.

The underlying controls of the cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology. ISG performs annual assessments, by two independent third parties, against the International Organization Standardization (“ISO”) 27001 Information Security Management System requirements for which we maintain certification. ISG also maintains certification across other cyber security frameworks, including the Trusted Information Security Assessment Exchange and UK Cyber Essentials, and is preparing for SOC2 attestation across our GovernX platforms.

The Company’s cybersecurity efforts are led by the Chief Information Security Officer (“CISO”), who reports to the Chief Information Officer (“CIO”) and has responsibilities that cover the management of cybersecurity risk and the protection and defense of our networks and systems. Our CISO has proven cyber operations and cyber risk management experience, having previously worked for UK law enforcement and leading organizations in the financial services, health and advertising sectors. Our CISO also holds relevant cyber management qualifications, such as being a Certified Information Systems Security Professional. The CISO manages a team of qualified cybersecurity professionals with broad experience and expertise across cyber security disciplines that provide ad-hoc reports to the CISO regarding cybersecurity threats and incidents. Cybersecurity risk is maintained and managed under our Information Security Management System framework with oversight through our internal Executive Board (“IEB”) and our Board of Directors, which has delegated responsibility for cybersecurity risk to our Information Security Committee (“ISC”).

Cybersecurity is an important area of focus for our Board of Directors. The Board of Directors reviews and discusses with our CIO the Company’s cybersecurity, privacy and data security programs, the status of projects to strengthen internal cybersecurity, results from third-party assessments, any significant cybersecurity incidents and the emerging threat landscape. Our CIO discusses the same cybersecurity topics covered with the Board of Directors with the IEB. In addition, the IEB makes decisions on resourcing and project prioritization in support of our cybersecurity and compliance initiatives.

Responsibility for cybersecurity risk has been delegated to the ISC, which consists of senior executives (including three IEB members), namely the Chief Financial Officer (IEB member), Chief Human Resources Officer (IEB member), Chief Information Officer, Chief Data and Analytics Officer (IEB member), Chief Information Security Officer, Legal Counsel, Director of Corporate Governance and Data Privacy Manager. The ISC oversees the management of processes for identifying and mitigating cybersecurity risks, material vulnerabilities and high rated incidents, to help align our risk exposure with our strategic objectives. The ISC meets quarterly and receives additional ad-hoc briefings from the CISO as and when required.

In the event of a major security incident, certain members of the ISC form part of our Incident Management Team (“IMT”). The IMT follows our detailed incident response playbook, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g., legal), as well as senior leadership, the IEB and the Board of Directors, as appropriate.

For the evaluation of our security controls, ISG engages third-parties services to conduct penetration testing, independent audits or provide consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of our security controls. We also share and receive threat intelligence which we utilize to bolster defenses against active threats. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, clients, employees, vendors, intellectual property and drive continuous improvement across the security domain.

ISG recognizes that if our third-party suppliers are affected by cyber security incidents, we could be indirectly impacted, including, the potential loss of service (which could be a significant component of our services to clients), exposure of ISG or client data or a potential backdoor into ISG systems or network. We maintain processes and procedures to continuously assess third-party cybersecurity risk and include security and privacy addendums to our contracts where applicable. We seek to work directly with any suppliers to address potential deficiencies when identified.

To mitigate the risk and negative exposure of personal data being breached or inadvertently shared outside of ISG, we maintain a data protection framework that includes policies, procedures, guidance and records. This includes policies and procedures regarding the rights and usage of personal and client data. ISG employs a Data Privacy Manager who briefs the ISC on privacy matters as part of the quarterly ISC meetings. The Data Privacy Manager completes an internal audit annually and works with a specialist third party to complete an external Data Protection Compliance review.

We continue to invest in the cybersecurity and resiliency of our networks and to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain.

21

As of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect, the Company, including our business strategy, results of operations or financial condition. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating cybersecurity threats or incidents, and such threats or incidents may have a material adverse effect on us. While ISG maintains cybersecurity insurance, the costs related to cybersecurity threats or service disruptions to both ISG and our clients may not be fully insured.

For more information regarding the risks we face from cybersecurity threats, see the risks identified under “Risks Related to Data, Cybersecurity and Confidential Information” found in “Part 1A, Risk Factors” of this Annual Report on Form 10-K.