AMERICAN PUBLIC EDUCATION INC - (APEI)

10-K Filing Date: March 05, 2024
ITEM 1C. CYBERSECURITY

Our Information Security Efforts

Cybersecurity Risk, Management, and Strategy

The performance, reliability, and security of the networks and technology infrastructure we use or rely on is critical to our operations, our institutions’ reputation, and our ability to attract and retain students. We have developed what we believe to be a robust cybersecurity program that incorporates a process of identifying and managing cybersecurity risks across the enterprise. As part of our cybersecurity risk management process, we identify risk by reviewing the elements within our technology stack and processes, including a full scan and identification process of all APEI’s digital and physical assets within the organization, covering hardware, software, data, and personnel. Assets are documented and assessed for their value, factoring in their significance and potential cost if compromised. We conduct a threat assessment for both internal (e.g., employees, contractors, etc.) and external (e.g., hackers, malware, etc.) cybersecurity threats, and we have established plans and actions to detect unauthorized activities. We engage third-party consultants to perform assessments, including annual penetration testing, and we maintain a risk register. The risk register includes documentation of identified risks, the potential impact and likelihood of occurrence, mitigation efforts and the required enterprise level response. Each of the identified risks is given a risk classification from low to high depending on the probability of occurrence and the severity of impact.

At least annually, we conduct tabletop exercises to simulate various attacks, enhancing our preparedness against potential threats. These tabletop exercises are conducted with the support of third-party cybersecurity experts. We perform continuous monitoring and detection of our systems, networks, and data repositories for suspicious activities by leveraging a third-party that provides 24x7 comprehensive monitoring of activity that is outside the normal patterns for our day-to-day operations. Our information security team works to stay up to date on threat intelligence through partnerships with outside agencies. We accumulate security event data into our security information and event management, or SIEM tool that tracks and monitors events providing a comprehensive view of how to respond to various threats.

We also have an internal information technology audit team that routinely scans the environment and documents our compliance efforts with regulations and standards that govern our business, such as the Sarbanes-Oxley Act, the Payment Card Industry Data Security Standard (PCI-DSS), the Health Insurance Portability and Accountability Act, FERPA, and the Gramm-Leach-Bliley Act Safeguards Rule.

We strive to make sure that the entire company is up to date with their responsibility and understand the importance of their contributions to staying cyber secure through a robust training and education program. Employees and contractors are responsible for taking mandated cyber training on an annual basis. We also run phishing exercises on a routine basis to help ensure employees can recognize and report in appropriate activity and social engineering attempts.

We have a process of continuous improvement by incorporating lessons learned from attempted attacks and feedback from phishing exercises, among other learnings. We also have a third-party risk management process pursuant to which new and existing vendors undergo a structured review of their controls and systems, as well as a periodic review from our security team to help ensure vendors protect our data and systems. We seek to require our third-party vendors contractually to maintain a level of security that is acceptable to us.

We have not experienced any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or that we believe are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. We maintain specific insurance coverage to mitigate losses associated with certain cybersecurity incidents that impact our or our third parties’ information technology and information systems, but there can be no assurance that coverage would be adequate in relation to any incurred losses.

Our cybersecurity risk management process is a standalone process, but it is integrated with and informs our overall enterprise risk management program.

80


Cybersecurity Governance

In 2019, APEI established the Information Security Steering Committee, or the Steering Committee, consisting of the Chief Executive Officer, Chief Financial Officer, Chief Information Officer, Chief Information Security Officer, General Counsel, and other members of the legal team, to establish and provide oversight over our cybersecurity program. The Steering Committee meets quarterly and is briefed, among other things, on our cybersecurity program, how we are mitigating risks, any notable events that occurred, and phishing campaign results. In addition, the Steering Committee reviews the program for the proper funding and staffing of the information technology security department as well as alignment of the program with our strategic objectives. The Steering Committee reviews and ratifies security policies and helps ensures the proper controls are in place and being followed. The Steering Committee is a critical element to review the cybersecurity program against applicable federal and state regulations and its progress for planned improvements.

Our cybersecurity program is overseen by the Chief Information Officer and Chief Information Security Officer. Both the Chief Information Officer and Chief Information Security Officer have extensive experience in running and managing a cybersecurity program both in civilian and government agencies.

We have established structured processes and mechanisms, including incident reporting and escalation, a comprehensive incident response plan, and communication plans, in the event a vulnerability is exploited or an attack is successful. These communication plans consist of internal reporting and communication, including to the Chief Information Officer and the Chief Information Security Officer, as well as external reporting, including notifying the proper agencies, management, and the Board of Directors. The Chief Information Officer and the Chief Information Security Officer report the risks from cybersecurity threats, the level of risk, and any material cybersecurity incidents to the Board of Directors, as well as annually review with the Board of Directors the budget, utilization of systems, processes, and controls in place to address cybersecurity risks and management. The Chief Information Officer and/or the Chief Information Security Officer update the Board of Directors no less than quarterly on material developments in these areas.

For more information on our information technology investments and their effects on our results of operations, refer to “Management’s Discussion and Analysis of Financial Condition and Results of Operations – Overview,” and for more information regarding risks related to our information technology, refer to “Risk Factors – Risks Related to Our Technology Infrastructure.”