Willdan Group, Inc. - (WLDN)
10-K Filing Date: March 07, 2024
Risk management and strategy
The Company has incorporated evaluation of cybersecurity threats into its overall risk management strategy. As such, Willdan has established a cybersecurity program designed to address applicable legal requirements. Through its internally dedicated cybersecurity team, combined with cybersecurity-specific technologies and external cybersecurity service professionals, the Company assesses, identifies, and manages material risks from cybersecurity threats to its critical computer networks, hardware and software, and data.
The Company’s cybersecurity team helps identify and assess risks from cybersecurity threats by monitoring and evaluating the Company’s threat environment using various methods. Through the use of internal and external risk assessment audits of certain environments aimed at identifying potential areas of cybersecurity risk, external and internal monitoring alerts, and other external and internal tools (such as next generation endpoint security (EDR/XDR), SASE framework, next-gen firewalls, and external-party monitoring of endpoint and cloud security environments), the Company performs ongoing assessments of its cybersecurity risks that are designed to take into account the rapidly evolving cybersecurity threat landscape. Further, in conjunction with its ISO 27001 and SOC2 certifications, the Company undergoes annual external audits that include reviews of its cybersecurity risk assessment processes and policies.
In an attempt to manage and mitigate material risks from cybersecurity threats, the Company’s cybersecurity risk management process includes certain preventive measures, detective controls, and incident response procedures, depending on the environment and systems. This includes implementing security controls in certain environments and systems, ongoing monitoring of certain environments and systems, adopting response protocols for security incidents, and maintaining cybersecurity insurance. The Company’s cybersecurity risk management approach is periodically reviewed by management and certain external service professionals to assess whether any changes are needed to reflect changing threats.
In addition, assessment and management of material risks from cybersecurity threats are integrated into the Company’s risk management strategy. For example, our cybersecurity team works with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business.
For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, Cyber security breaches or other systems and information technology interruptions could result in liability, harm our reputation and impact our ability to operate.
The Company engages third-party cybersecurity consultants and auditors who help the cybersecurity team in identifying, assessing, and managing material risks from cybersecurity threats, including by evaluating and enhancing the Company’s cybersecurity posture. The Company also engages third-party service providers to perform a variety of functions throughout its business. The Company performs due diligence before engaging with certain third-party service providers designed to evaluate the service providers’ cybersecurity practices, including their security policies, incident response capabilities, and data protection measures (as evidenced by third party certifications including ISO 27001 and SOC II reports); including specific cybersecurity requirements in contracts with certain third-party service providers, such as regarding security standards, data protection, and incident reporting as applicable; and monitoring and auditing certain third-party service providers’ cybersecurity practices and compliance with contractual obligations. Depending on the nature of the services provided, the sensitivity of the information systems and data at issue, and the identity of the provider, the Company’s vendor management process may involve different levels of assessment designed to help
32
identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider.
Governance
The Board addresses the Company’s cybersecurity risk management as part of its general oversight function. The Board is responsible for overseeing Company’s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.
Our cybersecurity risk assessment and management processes are implemented and maintained by the certain members of Company management, including those who are part of the Company’s cybersecurity team. The Company’s cybersecurity team is comprised of individuals with expertise in cybersecurity, information technology, risk management, and Company operations. Our cybersecurity team has decades-long experience in cybersecurity and holds industry-standard certifications including Certified Information Systems Security Professional (“CISSP”), Certified Cloud Security Professional (“CCSP”), among others.
Management is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Management is responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
The Company’s cybersecurity incident response plan is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including the Company’s President and Chief Executive Officer, Chief Financial Officer, and General Counsel (collectively, “Executive Management”). Executive Management works with the Company’s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s incident response plan includes reporting to the Board for certain cybersecurity incidents.
The Company’s Board provides oversight of cybersecurity risk and regularly receives updates from the Company’s cybersecurity team. These updates cover topics that include cybersecurity team member updates, cybersecurity infrastructure updates, improvement in cyber-security tools and technologies, cybersecurity framework compliance, cyber-risk hardware/software enhancement updates, cybersecurity threats and mitigation measures, and more. The Board also has access to various reports, summaries or presentations related to cybersecurity threats, risk and mitigation.