FORRESTER RESEARCH, INC. - (FORR)

10-K Filing Date: March 08, 2024
Item 1C. Cybersecurity

We recognize the importance to our business and reputation of the continuous availability of our internal and client-facing information technology systems, as well as our ability to protect both the confidential information of our clients and our own intellectual property and business information. We are committed to protecting our client and business data and information technology assets and have implemented a cybersecurity program with policies, standards, processes and practices governing the protection and control of information during its lifecycle of creation, usage, transmission, storage and disposal.

Cyber Risk Management and Strategy

We have implemented and maintain a risk management program that includes processes for the identification, assessment, management and mitigation of cybersecurity risks. This program utilizes numerous technological and human security controls, processes, and procedures to address risks including, but not limited to, those identified by threat intelligence providers, internal stakeholders, and security management programs. Our cybersecurity program is generally aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Our risk management program is documented in our written Information Security Policy. We periodically update our Information Security Policy, along with other policies and procedures, to adapt to evolving business conditions and threats.

Included in our Information Security Policy is a documented incident response plan to identify, assess, manage and mitigate cybersecurity incidents. As part of our risk management program, we maintain a technology management security team, led by our Information Security Officer (ISO). Among their responsibilities, our technology management security team is responsible for conducting due diligence on software, hardware or services vendors where access to systems or data of Forrester or our clients is contemplated. The security team assesses whether these vendors have appropriate privacy and security controls and whether there are adequate contractual protections in place. We also engage external security assessment vendors from time to time to conduct penetration testing and vulnerability assessments and to report findings to management.

All new Forrester employees and contractors receive a copy of the Information Security Policy and are required to undergo information security and privacy training both as part of their onboarding and on an annual basis. We currently also maintain cybersecurity insurance covering the company and its subsidiaries.

While to date we are not aware of having experienced any material cybersecurity threats or incidents, and we do not believe that risks from such threats or incidents are reasonably likely to materially affect us, our business strategy, results of operations or financial condition, there can be no guarantee that we will not experience a successful material threat or incident. Additional information on cybersecurity risks we face can be found in “Item 1A, Risk Factors” under the heading “We face risks from network disruptions or security breaches that could damage our reputation and harm our business and operating results.”

Governance Related to Cybersecurity Risks

Our board has final oversight responsibility over cybersecurity-related matters. Our Chief Information Officer (CIO) leads the full board in interactive sessions dedicated to cybersecurity risks at least once a year. These sessions address a range of cybersecurity-related topics, such as recent developments in the threat environment, the status of ongoing information security program initiatives, and cybersecurity strategy. In addition, the audit committee assists the board in fulfilling its oversight responsibilities with respect to policies relating to risk assessment and management, including the management of risks arising from cybersecurity threats. The audit committee is responsible for reporting findings related to its review of these matters to the board.

With respect to management, our CIO, who reports directly to our chief executive officer, has over 20 years of experience with our company, including more than 10 years serving in technology-based leadership roles. Our VP, Infrastructure, Operations & Security, who reports directly to the CIO, serves as our ISO and has extensive cybersecurity experience gained from over 20 years serving in security-related roles for the Company. Our ISO, together with our technology management security team, is responsible for developing, maintaining and enhancing systems and processes necessary to protect confidential information from loss, theft, and unauthorized access or use. This team also monitors the systems and networks to detect unauthorized activity or access, responding to any such unauthorized attempts to mitigate loss or to ensure the cessation of all unauthorized access to data. If an incident is identified, this team reports such events to the CIO, who will then, as appropriate, advise the chief executive officer, chief legal officer and other management, as well as others, potentially including law enforcement or clients. We have also established a Risk Committee consisting of members of our finance, legal and technology management departments whose duties include assessing the materiality of any identified incidents to help ensure compliance with the SEC's cybersecurity incident disclosure rules.