CARRIAGE SERVICES INC - (CSV)
10-K Filing Date: March 01, 2024
ITEM 1C. CYBERSECURITY
RISK MANAGEMENT AND STRATEGY
The Company’s cybersecurity program is designed to secure the continuity of operations and protect the privacy of company, employee and customer data. Our approach to managing cybersecurity risk and safeguarding information across our organization embeds data protection and cybersecurity risk management throughout our enterprise and daily operations. Our team maintains processes for identifying, assessing and managing material risks, including such risks from cybersecurity threats, and such processes are integrated into our overall risk management approach. Our team regularly reviews significant risks to our Company, including significant cybersecurity risks and the potential for future cybersecurity incidences. Through these reviews, we discuss the identified risks, describe the likelihood of occurrence and assess its potential impact, including the materiality thereof. As part of this exercise, mitigating measures are planned and implemented into action as necessary. As an additional feature of our cybersecurity risk management process, we have engaged an external third-party service provider to support our cybersecurity team, continuously monitoring and identifying potential threats with the ability to take immediate mitigation actions when required. In addition to these services we conduct periodic network penetration tests conducted by an independent third party.
We undertake to align our cybersecurity approach, which encompasses both enterprise security and operational security, along with the standards of the National Institute of Standards and Technology Cybersecurity Framework. We maintain continuous cyber threat-detection systems and have established an incident response plan, which contains playbooks for addressing and recovering from potential material cyberattacks and breaches of data security. We also have controls in place to ensure any third-party access to our internal systems adhere to internal cybersecurity safeguards, as well as firewalling any access from such third-parties, including service providers, through a secure virtualization layer. In addition to security measures for third-party service providers, we require periodic training covering cybersecurity and information management and conduct regular cybersecurity awareness campaigns.
Except with respect to our previously disclosed ransomware attack to our information technology system in January 2021, which we determined, based on our assessment of the information known to us, did not have, nor do we expect it will have, a material impact on our business, operations or financial results, we are not aware of any cybersecurity incident that has had or is reasonably likely to have a material impact on our business operations. Given the rapid evolution of cyber-related attack techniques, cybersecurity risks associated with our information technology systems and the systems of our vendors continue to grow. Notwithstanding our cybersecurity management processes, a future cybersecurity incident could have a material adverse effect on our business or on our financial position, results of operations or cash flows. See “Item 1A. Risk Factors - General Risks – Information Technology and Internal Controls - We rely significantly on information technology and any failure, inadequacy, interruption or security lapse of that technology, including any cybersecurity incidents could harm our ability to operate our business effectively.”
GOVERNANCE
We involve multiple levels of oversight as a part of our approach to cybersecurity risk management. Our Board oversees and regularly reviews risks to our Company, including cybersecurity, along with related policies and procedures. These reviews include updates from our management team and periodic executive sessions with our Chief Information Officer (“CIO”) covering cybersecurity matters, such as developments to our program, key risk indicators, emerging risks, and identified incidents.
In addition, our CIO, who has more than 25 years of industry experience and over 10 years of experience with the development, training and controls of effective enterprise cybersecurity programs, oversees the implementation and compliance of our cybersecurity program and mitigation of information security related risks. Such oversight includes: (i) reviewing our enterprise risk register; (ii) maintaining adequate processes to manage the identified risks under our cybersecurity program; (iii) regularly analyzing logs of cybersecurity threats and vulnerabilities; and (iv) overseeing prevention, detection, mitigation and remediation efforts in general, including the development and maintenance of the above-mentioned incident response plan. Additionally, we maintain an experienced information technology team at the employee level that supports our CIO in implementing our cybersecurity program and internal reporting, security and mitigation functions.