HACKETT GROUP, INC. - (HCKT)

10-K Filing Date: March 01, 2024
ITEM 1C. CYBERSECURITY

Cybersecurity is critical to the delivery of our services to our clients. We face cybersecurity threats that are common to most industries. We have a cybersecurity risk management program in place that is designed to assess, identify, manage, and govern material risks from cybersecurity threats. This program is a key component of our enterprise risk management program. The Company’s Board is responsible for oversight of the Company’s information technology systems, including cybersecurity, and has delegated such oversight to the Audit Committee. The Audit Committee regularly reviews the status of the initiatives such as the seeking of certifications associated with our information technology systems and receives regular updates on matters relating to

17


 

information technology and cybersecurity. Our corporate information security organization, led by our Senior Director of IT who reports to our Chief Financial Officer, is responsible for our overall information security strategy, policy, security, operations and cyber threat detection and response. Our current Senior Director of IT has an extensive background and experience in information technology management and design, and data security. An integral part of our cybersecurity framework is our Security Response Team which is responsible for the detection, review, and response to cybersecurity incidents. In the event of a security incident, we intend to follow our detailed incident response plan, which outlines the steps to be followed from incident detection to mitigation, recovery, and notification, including notifying functional areas as well as senior leadership and the Board, as appropriate.

 

We regularly review the effectiveness of our cybersecurity controls, promptly addressing any identified risk areas and subject our information technology systems to testing performed by external parties on an annual basis. Our employees are required to successfully complete training on topics relating to our cybersecurity, data privacy and information security policies and procedures. Training is administered and tracked through online training modules. In addition, we perform periodic testing to evaluate the effectiveness of our training programs and to help prevent loss associated with the disclosure of electronic information. We also leverage third-party service providers and solutions across our operations to review, test, and assess our security systems and controls, as well as assist in the mitigation of any potential cyber risks. We recently obtained the ISO 27001 certification.

 

To further bolster our cybersecurity controls, we also have a third-party risk management program in place applicable to all of its contractors, vendors, and service providers which includes risk assessments, cybersecurity questionnaires, data privacy addendums, and contractual flow-downs of legal and regulatory requirements. We also require our contractors, subcontractors, vendors and service providers to report security incidents to us without undue delay.

 

To date, the Company has not identified any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business operations or financial condition. Despite the extensive approach we take to cybersecurity, prevention of a cybersecurity incident cannot be completely guaranteed. Please refer to “Item 1A. Risk Factors – We rely on information technology and security systems and any damage, interruption or compromise of our information technology and security systems or data could disrupt and harm our business” and “Item 1A. Risk Factors – A breach of our information technology and security systems could materially adversely affect our business” for further information.