GEO GROUP INC - (GEO)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity

 

As a government contractor, GEO routinely processes, stores, and transmits large amounts of “Personally Identifiable Information”. As such, we understand the criticalness of having a robust cybersecurity program that protects company assets as well as our clients’ data. Our customers, suppliers, service providers, subcontractors, and joint venture partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance, and results of operations.

The Board, through its Cybersecurity and Environmental Oversight Committee, oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Senior leadership, including our Chief Information Security Officer (CISO), quarterly or as needed briefs the Board of Directors on our cybersecurity and information security posture, and the Board of Directors is apprised of cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us.

Our corporate information security organization, led by our CISO, is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. Our current CISO has extensive information technology and program management experience and has served many years in our corporate information security organization. In addition, our CISO has a certificate in Cybersecurity Oversight from the Carnegie Mellon University Software Engineering Institute. The corporate information security organization oversees, manages, and continually enhances a robust enterprise security structure with the goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience to minimize the business impact should an incident occur. Employees outside of our corporate information security organization also have a role in our cybersecurity defenses and they are immersed in a corporate culture that supports information security, which we believe improves our cybersecurity.

The corporate information security organization has implemented a governance structure and processes to assess, identify, manage, and report cybersecurity risks. The underlying controls of the cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and the Center for Internet Security controls. In addition, GEO has robust policies and procedures related to cybersecurity and general IT practices that include but are not limited to encryption standards, antivirus protection, remote access, multifactor authentication, confidential

47


 

 

information and the use of the internet, social media, email, and wireless devices. These policies go through an internal review process and are approved by appropriate members of management.

Assessing, identifying, and managing cybersecurity related risks are integrated into our overall enterprise risk management (ERM) process. These initiatives are supported by a Managed Security Service Provider ("MSSP") that provides continuous intelligence and threat assessments, including such risks from cybersecurity threats associated with our use of any third-party service provider. Also, as part of the program, GEO engages third party cybersecurity organizations to perform bi-annual assessments of the environment. Identified cybersecurity related risks are included in the risk universe that the ERM function evaluates to assess top risks to the enterprise on an annual basis. To the extent the ERM process identifies a heightened cybersecurity related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. The ERM process’s annual risk assessment is presented to the Board.

Notwithstanding the extensive approach we take to prevent cybersecurity breaches, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse financial impact to our business. While GEO maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks. There have been no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect GEO, including its business strategy, results of operations, or financial condition.