VSE CORP - (VSEC)
10-K Filing Date: March 07, 2024
ITEM 1C. Cybersecurity
Risk Management and Strategy
We have an information security process integrated into our overall enterprise risk management (ERM) process that is designed to identify, assess, and manage material risks and threats from cybersecurity. To protect our information systems against cybersecurity threats, we employ a range of security processes designed to identify, prevent, detect, respond to, and recover from identified vulnerabilities and cybersecurity incidents in a timely manner. These include internal reporting mechanisms, monitoring solutions, and detection tools. We also leverage the expertise and support of key cybersecurity third-party partners and tools. Our protective measures include technical and organizational safeguards, employee training, incident response capability assessments, cybersecurity insurance, and business continuity mechanisms. We perform employee training as part of our information security processes for all employees. We regularly assess cybersecurity risks and technology threats, utilizing a qualitative risk model to identify, measure, and prioritize certain risks, and develop related security controls and safeguards.
Risk assessments are conducted when we onboard certain new services and new vendors, including third-party vendors, applications, and other technology services, and when there are significant changes to IT or security architecture. Further, we monitor key vendors to understand how such vendors manage cybersecurity risks and threats during the term of their provision services or products to us.
As part of our cybersecurity incident response framework, our incident response team focuses on responding to, containing, and recovering from a cybersecurity threat and minimizing any business impact. In the event of a cybersecurity incident, the cybersecurity team assesses, among other factors, data and personal information loss, business operations disruption, projected cost and potential for reputational harm, with support from business stakeholders and external technical, legal and law enforcement support.
Governance
Our Board of Directors ("Board") and Audit Committee have oversight responsibility for cybersecurity risks and incidents, including compliance with disclosure requirements, collaboration with law enforcement, and related effects on financial and other risks. Findings and recommendations are reported, as deemed appropriate, to the Board. Senior management including our Chief Information Security Officer (CISO) engages in regular discussions with the Board regarding cybersecurity risks, trends, and any material incidents that may arise. Furthermore, the Board receives briefings on cybersecurity matters from the CISO on our cybersecurity and information security.
Our CISO has served in various roles in information technology and information security for over 20 years, with experience in technology risk management, cybersecurity, compliance, network engineering, information systems, and business resiliency. He is a Certified Information Systems Security Professional. Our CISO manages the Company's information security and oversees our data security personnel and our incident response and business continuity management programs to assess and manage the cybersecurity element of our risk management program, including policies, cybersecurity training, security operations and
-14-
engineering, cyber threat detection and incident response. Our CISO promptly informs and updates the Board about any information security incidents that may pose a significant risk to the Company.
To date, we have not identified any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of our operations, or financial condition. However, we have been the target of cybersecurity threats and expect them to continue as cybersecurity threats have been rapidly evolving in sophistication and becoming more prevalent. We cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Item 1A Risk Factors of this Annual Report on Form 10-K.