TaskUs, Inc. - (TASK)
10-K Filing Date: March 08, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We have developed a comprehensive cybersecurity program, modeled after the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), that forms a critical component of our overall risk management and business strategy and provides for a methodological approach to identifying, assessing and managing material risks from cybersecurity threats. Our risk assessment protocol considers both probability of occurrence and potential impact to our business and is predicated on the pillars of risk identification, analysis and mitigation. Execution of our cybersecurity program is coordinated by our management, dedicated cybersecurity employees and third-party providers. While no particular cybersecurity risk or incident has unilaterally influenced our strategy, we allocate a portion of our operational and capital budgets towards sustaining and improving our cybersecurity defense posture, in addition to maintaining tailored insurance coverage. We value the importance of safeguarding digital assets, ensuring trust, and operational continuity amidst evolving threats. By prioritizing cybersecurity, we endeavor to protect our interests and uphold our commitment to our stakeholders’ security and privacy.
42
To evaluate the adequacy of our cybersecurity program, we apply various assessment techniques, such as continuous asset audit, vulnerability management, external attack surface management, source code review, a bug bounty program, threat hunting, red-team exercises, and direct engagement with functional leaders. We routinely examine our cybersecurity defenses through automated and manual vulnerability scanning to identify and correct critical vulnerabilities. In addition, we conduct regular testing to evaluate our security posture and the adequacy of our policy as a whole. We compare our cybersecurity program against industry standards and established frameworks, such as the NIST and Center for Internet Security. Further, we engage in cyber incident simulation exercises executed by senior management and IT/Information Security personnel, involving hypothetical cybersecurity incidents to test our cyber incident response processes. In addition to the foregoing internal review of our cybersecurity program, we periodically engage independent third parties to assess the risks associated with our information technology resources and information assets. Among other things, these independent parties analyze the effectiveness of controls over information technology resources and conduct penetration tests and scanning exercises to assess the performance of our cybersecurity systems and processes for qualifications under recognized industry standards and for annual certification under Payment Card Industry Data Security Standard (PCI DSS), HITRUST, SOC 2 Type II, and ISO 27001. We memorialize our findings and review the results of these assessments with management and, where appropriate, our board of directors. Relevant modifications are incorporated into our cybersecurity framework to ensure that our systems functionally align with our cybersecurity strategies.
Furthermore, we engage third-party vendors to support our cybersecurity program. Prior to onboarding, we review the cybersecurity risk profile of third party vendors to ensure that they employ appropriate safeguards to comply with our internal standards and current industry regulations. We classify IT service providers according to their risk and independently audit their security controls on a recurring basis based on the types of services provided and the extent and type of data accessed or processed by a third-party vendor. Furthermore, in certain instances, we include contractual provisions in our agreements with such vendors to implement best practices with respect to data and cybersecurity, as well as to provide us with rights to assess, monitor, audit and test such vendors’ cybersecurity programs and practices and to mandate notice requirements in the event of a breach. We also closely monitor and manage third-party access to our internal systems and data.
For a discussion of how risks from cybersecurity threats affect our business, see Part I, Item 1A. “Risk Factors – Unauthorized or improper disclosure of personal or other sensitive information, or security breaches and incidents, whether inadvertent or purposeful, including as the result of a cyber-attack, could result in liability and harm our reputation, each of which could adversely affect our business, financial condition, results of operations and prospects” in this Annual Report.
Cybersecurity Governance
Our board of directors and management closely coordinate to execute on our cybersecurity strategy. Our board of directors oversees cybersecurity risk management as part of its oversight of our risk management framework, while the Audit Committee has primary responsibility for management of the risks facing our Company and oversight of the measures initiated by management to monitor and control such risks and reports to the board of directors. Our management team is responsible for the day-to-day oversight and management of cybersecurity risks, supported by our dedicated professionals responsible for cybersecurity, fraud, and compliance. Our Division Vice President for Information Security (DVP, Information Security) reports to our Chief Information Officer (CIO) and has primary responsibility for the day-to-day management of cybersecurity risks by leading the Information Security department and operationalizing our Information Security Management System. The CIO and DVP, Information Security meet regularly with the Audit Committee to review the company’s management of information security risks, and the Audit Committee evaluates the adequacy of the Company’s IT security program, compliance and controls with our CIO. Additionally, our Enterprise Risk Management Committee, which is composed of certain of our senior management, legal and operations teammates, provides senior management with sponsorship and guidance to ensure that overall risk management objectives are achieved and regularly reports to the board of directors on matters within its purview.
Our current DVP, Information Security has led the information security program at TaskUs for eight years, and has over a decade of prior experience in cybersecurity operations, risk assurance and internal audit. Additionally, he holds an MBA degree and multiple professional certifications including CISSP (certified information systems security professional), CISA (certified information systems auditor), CIA (certified internal auditor), CCSP (certified cloud security professional) and CRMA (certification in risk management assurance). The DVP, Information Security also leads our Information Security Council, which is composed of IT functional leads and is responsible for the quarterly review of cybersecurity risks and operations of the information security management system.
43
We have also developed an incident response plan, designed to identify suspected or confirmed information security or cybersecurity events based on the expected risk an event presents, and expediently move such information through the appropriate personnel and channels. The plan details the sequence of steps and relevant personnel, roles, communication procedures, and incident response process flows to be used in the event of an applicable incident. Our Disclosure Committee, which is composed of certain of our senior management, legal and operations teammates, plays an integral role in this process, by supervising external reporting of cybersecurity incidents. Among other items, our procedures require calling an ad hoc committee meeting within 24 hours of incident identification for incident materiality assessment and determination.