FIRST ADVANTAGE CORP - (FA)
10-K Filing Date: February 29, 2024
Risk Management and Strategy
We have processes in place for assessing, identifying, and managing material risks from potential unauthorized occurrences on or through our electronic information systems that could adversely affect the confidentiality, integrity, or availability of our information systems or the information residing on those systems. These include a wide variety of mechanisms, controls, technologies, methods, systems, and other processes that are designed to prevent, detect, mitigate or remediate data loss, theft, misuse, unauthorized access, or other security incidents or vulnerabilities affecting the data. The data includes confidential, proprietary, and business and personal information that we collect, process, store, and transmit as part of our business, including on behalf of third parties. We also use systems and processes designed to reduce the impact of a security incident impacting our data at a third-party vendor or customer. Additionally, we use processes to oversee and identify material risks from cybersecurity threats associated with our use of third-party technology and systems, including: technology and systems we use for encryption and authentication; employee email; content delivery to customers; back-office support; and other functions.
Our cybersecurity team is led by our interim chief information security officer (“CISO”), who directs a unified cross-functional team that is responsible for implementing and maintaining centralized cybersecurity and data protection practices at First Advantage. Our interim CISO has numerous years of experience at First Advantage and other organizations managing security infrastructure, providing a variety of security services, and overseeing incident response and management, escalation of security events, vulnerability scanning, and security defect management. Collectively, the interim CISO and our cybersecurity team act in close coordination with senior leadership and other teams across First Advantage. In addition to our extensive in-house cybersecurity capabilities, we engage assessors, consultants, auditors, or other third parties to help assess, identify, and manage cybersecurity risks.
Our cybersecurity risk management process forms a critical component of our overall risk management and business strategy. As part of our risk management process, we conduct application security assessments, vulnerability management, penetration testing, security audits, and ongoing risk assessments. Additionally, we utilize data encryption and access control, single sign-on and multi-factor authentication, and malware protection within our control environment. We also maintain a variety of incident response plans that are utilized when incidents are detected. These plans are designed to be flexible so that they may be adapted to an array of potential scenarios and provide for the creation of cross-functional cybersecurity incident response teams in the event of a cybersecurity incident. We regularly review our incident response plans and conduct multiple incident response exercises each year, including sessions with management, to test and assess our preparedness to respond to a cybersecurity incident. Additionally, we require employees with access to our information systems, including all corporate employees, to undertake data protection and cybersecurity training and compliance programs annually.
38
As part of our incident detection and response processes, we have established internal teams to investigate and escalate notification of cybersecurity incidents. Pursuant to this process, cybersecurity incidents are reported to appropriate personnel within First Advantage (including the interim CISO, Chief Financial Officer, and General Counsel) and to the Audit Committee and Board of Directors based on incident materiality. We track incidents through resolution, conduct post-incident analysis and update our processes and procedures if areas for improvement are identified. On a monthly basis, a summary of prior period cybersecurity investigation escalations is reviewed by management, including our head of Internal Audit, our interim CISO, our Chief Global Compliance Officer, and our General Counsel.
Governance
Our cybersecurity risks and associated mitigations are evaluated by senior leadership, including as part of our enterprise risk assessments that are reviewed by the Audit Committee and our Board of Directors. Such risks and related mitigation activities are also subject to oversight by the Audit Committee of our Board of Directors. The Audit Committee, which is comprised of independent directors, oversees our policies and procedures for protecting our cybersecurity infrastructure and for compliance with applicable data protection and security regulations, and related risks, including management’s response to any significant cybersecurity incidents. The Audit Committee receives regular reports, from our interim CISO and Chief Technology Officer, regarding the cybersecurity control environment, including remediation updates, control posture analyses and other recurring items, and reports to the Board of Directors at least quarterly.
Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents.
Additional information about cybersecurity risks we face is discussed in Item 1A of Part I, “Risk Factors,” under the heading “Our business, brand, and reputation may be harmed as a result of security breaches, cyber-attacks, employee or other internal misconduct, computer viruses, or the mishandling of personal data” should be read in conjunction with the information above.