CRAWFORD & CO - (CRD.A)

10-K Filing Date: March 04, 2024
ITEM 1C.CYBERSECURITY

Cybersecurity Risk Management and Strategy

We recognize the importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our client's and our data. We have a global cybersecurity and privacy program to help effectively assess, identify, and manage cybersecurity threat risks. We have developed a list of cybersecurity risks from known threats and our own history to help identify what is most meaningful and potentially impactful to the Company. The cybersecurity and privacy initiatives to address the risks are complex, strategic, and ever evolving. Threats and risks are identified from threat intelligence sources that include our vendors, industry, and government organizations. We continuously monitor and scan the cyber landscape to review evolving threats and risks that may impact us. Information from these various sources are reviewed by our cybersecurity and risk teams to evaluate risks in line with the NIST Cybersecurity Framework. Threat intelligence from other financial institutions and industry consortiums that serve financial institutions, such as the Financial Services Information Sharing and Analysis Center, provides key information on how risks are affecting our industry, with ability to preemptively mitigate emerging threats, as discussed above in Part I, Item 1A of this Form 10-K under the heading Technology and Data Security.

13


 

We score cybersecurity risks based on the likelihood and impact on our operations. Such cybersecurity risks are integrated and evaluated as part of the global Enterprise Risk Management (“ERM”) program, which is managed by the ERM Director. The Governance Committee of the Board of Directors maintains oversight of the ERM program and the Audit Committee maintains oversight of the cybersecurity program to ensure risks to the Company are managed within our risk appetite.

Our ERM program considers cybersecurity threat risks alongside other company risks as part of our overall risk assessment process when identifying and assessing material risks. Our ERM team collaborates with internal subject matter specialists, as necessary, to gather insights and report on the most significant risks. We employ a range of tools and services, including regular network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises to identify threats and improve our incident response plan.

We identify and assess cybersecurity incidents based on multiple factors including information from previous events and incidents. The Cybersecurity Incident Response Team (“CSIRT”) categorizes events into four levels of severity with defined requirements to assess criticality. The CSIRT informs both our leadership as well as our SEC Cybersecurity Rules Disclosure Committee (“SCRDC”), Cybersecurity and Privacy Council and the Audit Committee of the Board on matters related to cybersecurity risks that are deemed to materially affect the Company.

We perform ongoing cybersecurity awareness training for our employees that reinforces our Global Information Security policies, standards and practices. In addition, employees receive periodic newsletters emphasizing awareness of new cybersecurity threats (e.g., phishing attempts, smishing, pretexting, and deep fakes). This training is mandatory for all employees globally and is supplemented with periodic phishing tests. Additionally, we perform an annual external evaluation of our cybersecurity program using the NIST Cybersecurity Framework.

We regularly engage with consultants to review our cybersecurity program to help identify areas for continued focus, improvement and compliance. Our processes also address cybersecurity risks associated with third-party service providers, including those with access to our non-public or restricted data, including client data. Third-party risks are also included within our ERM program and are actively reported to the Audit and Governance Committees. Our Third-Party Risk Management Program comprises a defined process to identify, assess, and mitigate risks by our third-party suppliers and service providers, specifically including cybersecurity and privacy risks.

We are also in the process of simplifying our technology landscape and implementing several new cybersecurity technologies that will help improve the management of cybersecurity risks and threats. In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial (including no related penalties and settlements).

Cybersecurity Governance

Our global cybersecurity and privacy program is managed by our Chief Information Security Officer (“CISO”), Vice-President of Global IT Security, Global Chief Privacy Officer (“CPO”), and Chief Information Officer (“CIO”). We have also established a Cybersecurity and Privacy Council, which is comprised of our senior management team, including our CEO. The Cybersecurity and Privacy Council meets on a quarterly basis with the CISO, CPO and CIO to keep our CFO, General Counsel and other executive leadership informed of cybersecurity activities and new risks and requirements. The objective of this council is to review, discuss, and manage cybersecurity and privacy risks and threats, prioritize risks, monitor risk mitigation progress, advise and update on the evolving legal landscape, as well as provide visibility into ongoing activities and programs.

The Board of Directors provides oversight and has designated primary responsibility to the Audit Committee who oversees our information security programs including cybersecurity and is actively involved in monitoring the progress of key cybersecurity initiatives. The CISO manages the cybersecurity program in collaboration with the CIO, CPO, and our business leaders. The CISO provides updates to the Audit Committee quarterly, including progress on the cybersecurity initiatives, risk trends and scores, and any cybersecurity incidents. Executive leadership and the Board of Directors are regularly informed and updated on any potentially material incidents.

We also created a SCRDC composed of members from cybersecurity, privacy, legal, audit, and finance teams. This committee's objective is to review and discuss the nature of cybersecurity and privacy incidents and determine impact and materiality.

14


 

Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our CISO, CPO, CIO, and VP of Global IT Security. Our security, privacy, and IT leaders have extensive relevant work experience in various roles which includes developing cybersecurity strategy, implementing effective information and cybersecurity programs, and implementing cybersecurity and privacy solutions. These leaders have relevant degrees and certifications, including Certified Information Systems Auditor, Certified Information Systems Security Professional, Fellow of Information Privacy, and Certified Information Privacy Professional.

As described above, we have experienced professionals in the key roles of the CISO, CPO, CIO, and VP of Global IT Security. The cybersecurity and privacy offices are responsible for incident reporting and management, which includes cybersecurity threats. The Incident Response team, comprising key cross-functional professionals and stakeholders globally, meets weekly and as needed to identify, respond, contain, and coordinate events where activities threaten the security, confidentiality, integrity, and availability of our information, including client information and information systems.

Once an event materially impacts systems or data, these cross-functional professionals and stakeholders evaluate the incident using key factors (e.g., type and scope of information impacted, systems impacted, reputational impact) and promptly inform senior leadership, the Audit Committee and the Board of Directors. Further, we may consult outside counsel or external advisors given the circumstances and situation (e.g., client, controls, location, or regulatory landscape).