ARC DOCUMENT SOLUTIONS, INC. - (ARC)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
We believe that cybersecurity is important to how we operate as a company and as such we focus on defining and managing our cybersecurity risk. With the ever-changing cybersecurity landscape and continual emergence of new threats, our Board of Directors, Audit Committee, and senior management team ensure that significant resources are devoted to cybersecurity risk management and the technologies, processes and people that support it. We have steadily increased companywide awareness to strengthen our cybersecurity risk management practice and processes. We employ a risk-based cybersecurity program that leverages the National Institute of Standards and Technology (NIST) framework and is designed to protect, detect, identify, and respond to cybersecurity risks and incidents. We regularly assess critical areas of our cybersecurity program to identify cybersecurity strengths and weaknesses and provide valuable insights for mitigating cyber risks.
Our cybersecurity team monitors networks and systems for potential signs of suspicious activity by utilizing, among other things, firewalls, intrusion detection systems, multi-factor authentication, and encryption. Additionally, our cybersecurity program includes a security Incident Management policy to ensure that consistent, methodical, and timely incident response process is completed by the designated response team. The designated cybersecurity incident response team is responsible for managing and coordinating our cybersecurity incident response efforts. The incident management workflow with assigned duties and responsibilities streamlines the incident response and helps improve and mitigate the overall incident impact.
We engage cybersecurity consultants, and other third parties to enhance our cybersecurity practices. We conduct penetration testing, vulnerability, and other assessments with the assistance of these third parties. These tests and assessments
18
enhance our cybersecurity program. We also use third-party service providers to support our operations and technology initiatives. We evaluate third-party service providers from a cybersecurity risk landscape.
Our Board of Directors oversees management’s processes for identifying and mitigating risks, including risks pertaining to cybersecurity. On a periodic basis, senior executives, including our Chief Technology Officer (CTO) present to the Board of Directors details of our cybersecurity initiatives and program and any incidents deemed to have a business impact, even if the impact is not material for us. The Board of Directors along with all committee members participate in discussions regarding cybersecurity risks.
Our Information Technology and Security organization is managed by our Chief Technology Officer who has overall responsibility for monitoring and managing cybersecurity threats and incidents and for implementing cybersecurity policies, programs, procedures, and strategies. The Chief Technology Officer has vast experience in providing cyber security oversight.
Despite the continuous risk faced by the Company, we have suffered no incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. Notwithstanding the exhaustive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on our business, results of operations and financial condition. While we maintain cybersecurity insurance and have never had a cybersecurity claim, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.