LINDBLAD EXPEDITIONS HOLDINGS, INC. - (LIND)
10-K Filing Date: March 06, 2024
We recognize that our business information is a critical asset and as such our ability to manage, control, and protect this asset will have a direct and significant impact on our future success. Our Board of Directors (the “Board”) recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. The Audit Committee of the Board is actively involved in oversight of our risk management program, and cybersecurity represents an important component of our overall approach to enterprise risk management (“ERM”). Our cybersecurity policies, standards, processes, and practices are fully integrated into our ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.
Governance
We have an Information Security Committee, assisted by a Virtual Chief Information Security Officer (the “vCISO”) which is a contracted third-party security firm whose responsibilities include the formulation, review and recommendation of information security policies, ensuring compliance with applicable information security requirements, assessing the adequacy and effectiveness of the information security policies and coordinate the implementation of information security controls, identifying and recommending how to handle an instance of non-compliance, provide clear direction and visible management support for information security initiatives, promote information security education, training, and awareness throughout the Company, and initiate plans and programs to maintain information security awareness, educate the team and staff on ongoing legal, regulatory and compliance changes as well as industry news and trends, educate the team and staff on ongoing legal, regulatory and compliance changes as well as industry news and trends, report annually, in coordination with the vCISO, to Executive Management on the effectiveness of our information security program, including progress of remedial actions.
The Information Security Committee, which includes the vCISO, our Vice President of Information Technology (“VPIT”) and our network administrators, works collaboratively across the Company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery policies. To facilitate the success of our cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the Information Security Committee monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to the Risk Management Committee when appropriate.
The VPIT and the vCISO provide frequent reporting and updates to our executive management and provides a full report to the Audit Committee of the Board on the cybersecurity audit and its cybersecurity roadmap for improvements and new infrastructure implementations annually, or more frequently if the need arises.
The vCISO has served in various roles in information technology and information security for over 25 years, including serving as the Chief Information Security Officer of two large public companies. The vCISO holds undergraduate and graduate degrees in computer science and has attained the professional certification of Certified Chief Information Security Officer. The VPIT holds several information technology licenses and certificates and has served in various roles in information technology for over 25 years, including experience managing risks arising from cybersecurity threats.
The Information Security Committee oversees our ERM process, including the management of risks arising from cybersecurity threats. The Audit Committee of the Board receives regular presentations and reports on cybersecurity risks from the Information Security Committee, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties. The Audit Committee of the Board and the Risk Management Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.
Risk Management and Strategy
We have integrated processes in place to manage information technology vulnerabilities, including technological tools and applications, and controls. Two step and multi-factor authentication is required for both internal and external access. Anti-virus and malware endpoint protection software is used on all Company and non-Company information systems workstations and laptops, as well as email filtering protection. We also subscribed to a Managed Threat Response service that proactively monitors all systems. System event logs are produced and reviewed, with all exceptions and anomalies of actions affecting or relevant to information security identified and investigated.
Software updates and configuration changes applied to information resources are tested prior to widespread implementation and are implemented in accordance with our change control policy. All information resources are scanned on a regular basis to identify missing updates. Missing software updates are evaluated and updates that pose an unacceptable risk to us are implemented and installed to the relevant information resources. Penetration testing and vulnerability scans of the internal network, external network, and hosted applications is conducted at scheduled intervals and after any significant changes to the information system environment. Any exploitable vulnerabilities found during a penetration test are remediated and the systems re-tested to verify vulnerabilities are resolved. Evidence of compromised or exploited information resource found during vulnerability scanning is reported to the Information Security Committee.
Third-Party Engagement
To maintain the highest standards of cybersecurity, we actively engage with specialized third-party assessors. This engagement is crucial for an unbiased evaluation of our cybersecurity posture and for gaining insights into industry best practices. The following outlines our general approach in engaging these external entities:
Selection of Qualified Assessors: We select third-party assessors based on their expertise, industry reputation, and alignment with our cybersecurity needs. Preference is given to assessors with proven track records in identifying and mitigating complex cybersecurity risks in similar industries.
Scope of Assessment: The assessment process is comprehensive, covering all critical aspects of our cybersecurity infrastructure. This includes evaluations of our network security, data protection measures, incident response capabilities, and employee cybersecurity awareness. The assessors are also tasked with identifying potential vulnerabilities in our systems and processes.
Regular and Ad-hoc Assessments: Assessments are conducted on a regular basis to ensure continuous monitoring of our cybersecurity health. Additionally, ad-hoc assessments may be conducted in response to significant changes in our IT infrastructure or emerging cybersecurity threats.
Assessment Methodology: The third-party assessors employ a range of methodologies, including penetration testing, vulnerability assessments, and security audits. These methodologies are aligned with industry standards and best practices to ensure a thorough and effective evaluation.
Collaboration and Transparency: We maintain an open line of communication with our assessors throughout the evaluation process. This collaboration allows for a clear understanding of their findings and recommendations. Transparency in this process is key to effectively addressing any identified vulnerabilities.
Action on Findings: Upon receiving the assessment reports, we promptly act on the findings. This includes addressing identified vulnerabilities, implementing recommended security measures, and continuously updating our cybersecurity strategies.
Feedback and Continuous Improvement: Feedback from these assessments is integral to our continuous improvement process. We regularly update our cybersecurity policies and practices based on the insights gained from these assessments to stay ahead of evolving cyber threats.
In today’s interconnected business environment, reliance on third-party service providers is inevitable. However, this reliance introduces additional cybersecurity risks that must be effectively managed. Our approach to identifying and mitigating these risks involves several key steps:
● | Risk Assessment and Due Diligence: Prior to engaging with any third-party service provider, we conduct a comprehensive risk assessment. This assessment evaluates the provider's cybersecurity policies, data management practices, and compliance with industry standards. We also assess their history of cybersecurity incidents and responses to understand their resilience and reliability. | |
● | Contractual Safeguards and Compliance Requirements: To ensure robust cybersecurity, our contracts with third-party providers include specific clauses that mandate adherence to our security policies and standards. These contractual obligations cover data protection, incident reporting, and compliance with relevant laws and regulations. Regular compliance audits are conducted to ensure these standards are continuously met. | |
● | Incident Response and Communication: In the event of a cybersecurity incident involving a third-party provider, we have a well-defined incident response plan. This plan outlines the steps for quick and effective action, including communication strategies to manage the impact on stakeholders. We require our third-party providers to promptly notify us of any breaches or potential security threats. | |
● | Review and Continuous Improvement: Our processes for managing third-party cybersecurity risks are regularly reviewed and updated. This ensures that we adapt to new threats and integrate best practices into our risk management framework. |
Through these measures, we strive to mitigate the cybersecurity risks associated with third-party service providers, ensuring the resilience and security of our operations and data.
|