BARRETT BUSINESS SERVICES INC - (BBSI)

10-K Filing Date: March 01, 2024
Item 1C. CYBERSECURITY

Risk Management and Strategy

Cybersecurity Risk Management Process

We have developed and continue to enhance our cybersecurity program to help secure our computer systems, software, networks, and data against material risks from cybersecurity threats, and help manage the material cybersecurity risks associated with our use of third-party service providers.

BBSI has integrated cybersecurity risk management into our overall risk management framework to identify, assess, and manage cybersecurity risks. As part of our integrated risk management process, our technology and information security team work closely with our management team on an ongoing basis to identify and respond to cybersecurity threats. Our proactive approach to cybersecurity risk management includes cybersecurity risk assessments performed internally by our IT security team and externally by third-party experts, penetration and vulnerability testing using third-party vendors and tools, tabletop exercises that simulate cybersecurity incidents, cybersecurity awareness training, and internal audit assessments of critical IT controls.

Use of Cybersecurity Experts

Due to the complex and evolving cybersecurity threat landscape, BBSI engages third-party experts to conduct in-depth threat assessments, identify vulnerabilities, monitor and detect threats, and offer strategic insights into our risk management process. Leveraging the knowledge, expertise, and resources of third-party experts, we regularly evaluate our cybersecurity risk management strategy to help us align

20


 

with best practices and address cybersecurity threats that could impact our ability to achieve our business objectives.

Third-Party Service Provider Risk Management

We utilize third-party service providers for a variety of reasons, including, without limitation, infrastructure and SaaS cloud computing services, technology and business process service providers, content delivery to customers, back-office support, and other functions. Such providers may have access to information about BBSI or that we hold about our customers, associates or vendors.

To mitigate the cybersecurity risk associated with the use of third-party service providers, we tier our third-party service providers based on their risk profile to establish applicable cybersecurity risk review standards and evaluate those providers in accordance with the tiering process. BBSI also relies on its third-party service providers to maintain cybersecurity control environments that address the risks associated with the products and services they provide to BBSI.

Cybersecurity Threats

We are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect BBSI, including our business strategy, results of operations, or financial condition. Despite our efforts to ensure the integrity of our computer systems, software, networks, third-party relationships, and other technology assets, we may not be able to anticipate, detect, or recognize threats to our systems and assets, or to implement effective preventative measures against all cyber threats, given the sophistication of the techniques used. For further discussion, see Item 1A. “Risk Factors – Risks Related to Technology."

Governance

Board Oversight of Cybersecurity Risk

Our Board of Directors has a significant role in the oversight of BBSI’s cybersecurity risk. The Board’s Risk Management Committee provides oversight of BBSI’s enterprise-wide risk management framework, including the strategies, policies, procedures, processes, and systems established by management to identify, assess, measure, monitor, and manage cybersecurity and other risks facing the Company. The Board of Directors also periodically receives reports from third-party consultants on the current cybersecurity threat environment, the results of third-party penetration testing, and the evaluation of the Company’s cybersecurity preparedness.

Management’s Role in Assessing and Managing Cybersecurity Risk

BBSI’s Chief Information Security Officer (“CISO”) leads our enterprise information security program and is primarily responsible for the assessment and management of the Company’s cybersecurity risk. The CISO has extensive experience in information technology and cybersecurity, including at another publicly traded company. The CISO oversees our cybersecurity risk management framework and manages a team of IT security professionals to identify and prioritize cybersecurity risks. The CISO also utilizes the expertise of third-party security partners to provide threat detection support, vulnerability management, incident response, penetration testing, and consulting services.

Ongoing Monitoring and Reporting of Cybersecurity Incidents

The Company has an internal security team, supplemented with third-party security partners, to consistently monitor, detect and respond to potential cybersecurity incidents. The Company has a cybersecurity incident reporting protocol that provides a mechanism for the appropriate members of management and the Board to be made aware of cybersecurity incidents. The Company also requires security awareness training for all employees to enable employees to understand their role in preventing and reporting cybersecurity incidents.

21


 

Reporting to the Board of Directors

The CISO and Chief Information Officer (“CIO”) regularly update the Board's Risk Management Committee on cybersecurity risks that the Company faces and the risk mitigation strategies that the Company employs to respond to those risks, with meetings generally occurring quarterly.