HEIDRICK & STRUGGLES INTERNATIONAL INC - (HSII)
10-K Filing Date: March 04, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We consider cybersecurity risk management, confidentiality and information security to be critical to our corporate visions and values. We employ a combination of people, technical safeguards and processes to manage these risks and protect information for which we are responsible. Our security program, policies, standards, processes, tools and talent are aligned with the purpose of preventing and mitigating any potential cybersecurity incidents and data leakage.
We have a program in place designed to detect and respond to cybersecurity incidents. Our Chief Information Security Officer (“CISO”) and the cybersecurity team are responsible for defining, implementing and administering appropriate measures to protect information across the Company. Cybersecurity risks are also identified and considered when conducting our annual Enterprise Risk Management (“ERM”) exercise. Pursuant to our ERM program, material cybersecurity risks are identified, assigned to an individual owner with the organization, reviewed twice annually with the CISO, Chief Legal Officer and Corporate Secretary, and Chief Information Officer and tracked to evaluate containment and mitigation efforts on a go-forward basis. As further described below, management also reviews and discusses the ERM program with the Audit & Finance Committee (“AFC”) of our Board of Directors (“Board”), as well as the full Board, at least annually.
Some key safeguards we have undertaken to assess, identify and manage material risks from cybersecurity threats include, but are not limited to:
•Engaging an independent audit firm to conduct a System and Organization Controls (“SOC”) 2 audit of the Company in 2023;
•Designing information security policies based on the International Organization Standardization (“ISO”) 27001 framework;
•Maintaining well-documented processes to provide and remove access, for security incident response, for IT change control and for secure software development lifecycle;
•Conducting regular system patching;
•Conducting frequent, independent third-party vulnerability and penetration testing;
•Providing access on a “need to know” basis applied with “least privilege” principle;
•Requiring multi-factor authentication for system access;
•Protecting the use of data centers with physical and environmental controls;
•Encrypting data at rest and in transit;
•Requiring regular, independent SOC 1 and/or SOC 2 audits for key SaaS providers;
•Requiring third-parties to have information risk management processes;
•Requiring regular security awareness training, including annual online security awareness training, for all users of our systems, which covers topics like phishing, social engineering, mobile and device security and protection of sensitive information;
•Testing awareness by sending regular test phishing emails;
•Monitoring security 24/7/365; and
•Providing for system redundancy and resilience to help ensure business continuity.
We regularly engage third party service providers to assist with management of cybersecurity risks. For instance, as noted above, we engage third parties to conduct frequent, independent vulnerability and penetration testing of our systems. In addition, in 2023, we engaged Grant Thornton LLP to conduct a SOC 2 audit of our systems and controls. Further, our enterprise level IT general controls are audited annually by our independent registered public accounting firm.
We also monitor and oversee risks from cybersecurity threats associated with all third-party service providers that handle data or information for us. In connection with engaging any third-party service provider that will handle data or information for us, we review its internal controls, require that it fill out our security and/or privacy questionnaires and ensure there is appropriate contractual language regarding data privacy, security, and confidentiality. For example, we require all third-party service providers that handle personal data to sign data privacy addenda. We also annually audit compliance of those third-party service providers with these requirements, including through a review of their SOC 1 and/or SOC 2 audits, have them update
20
our security and/or privacy questionnaires and, as appropriate, we conduct on-site audits for certain significant third-party service providers.
We face a number of cybersecurity risks in connection with our business. To date and to our knowledge, we have not experienced a material cybersecurity incident, and cybersecurity threats have not had a material impact on our business strategy, results of operations, or financial condition. However, we have, from time to time, experienced threats to and infringement of our data, policies and systems in the ordinary operation of our business. For more information about the cybersecurity risks we face, see the risk factors in Part I, Item 1A. Risk Factors entitled “Increased cybersecurity vulnerabilities, threats and more sophisticated and targeted cyber-related attacks could pose a risk to our systems, networks, solutions, services and data.” and “We are dependent on third parties for the execution of certain critical functions and the failure or inability to perform on the part of one or more of these third parties could materially and adversely affect our reputation and our business.”.
Governance
The AFC, comprised entirely of independent directors, assists the Board in its responsibilities of ensuring that the Company has established, documented and maintained, and periodically reevaluates, its processes with respect to cybersecurity. Our CISO briefs the AFC on cybersecurity matters, including on the evolving threat landscape and the Company’s enhanced efforts in light of emerging risks, no less than twice per year, and in 2023, our CISO provided cybersecurity updates to the AFC two times during the course of the year. In addition to formal updates provided to the AFC, our CISO maintains regular communication throughout the year with members of the AFC on these issues. The chair of the AFC also briefs the full Board on cybersecurity matters discussed amongst the AFC. Furthermore, and as discussed above, cybersecurity risks are also reviewed and discussed with the AFC and the full Board as part of the annual ERM assessment.
Our CISO has experience managing a risk-based, effective, practical and appropriately-sized cybersecurity program that aligns with our strategic business objectives and leads our cybersecurity team, which is responsible for assessing and managing the Company’s material risks from cybersecurity threats. Our CISO has 28 years of experience in the technology domain and 24 years of experience in information security. Our CISO is also a CISSP (Certified Information Systems Security Professional) and a CIPP/E (Certified Information Privacy Professional/Europe).
We have a specifically outlined incident response plan that documents the requirements of notification, classification, analysis and communication of security incidents, including cybersecurity incidents, based on the identified severity level. The CISO is informed of incidents at all severity levels pursuant to the incident response plan. The incident response plan also includes initial steps to convene the response team, contain the incident, consider insurance notification requirements, determine the type of incident and escalation, consider the communications protocol and consider involving law enforcement. In addition, the CISO is informed of potential cybersecurity incidents through the Company’s IT incident response system, which contains security logs that are reviewed by the Company’s 24/7/365 security operations center, and through the Company’s enterprise incident response system, which involves both daily reports of potential issues and alerts that may be initiated by an employee or former employee of the Company.