Strategic Education, Inc. - (STRA)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
The Company’s cybersecurity program is designed to protect and preserve the confidentiality, integrity, and availability of our networks and systems, as well as information that we own or is in our care, through a risk-based approach. The Company’s program is based on the U.S. National Institute for Standards and Technology standards and other applicable industry frameworks. Our cybersecurity program identifies, assesses, and manages material risks from cybersecurity threats by implementing a comprehensive set of practices, processes, and technologies designed to protect our data digital assets and data.
Our cybersecurity program includes:
ongoing employee cybersecurity awareness and training activities, which includes periodic “phishing” testing;
intrusion detection by monitoring network and system activities to detect unusual or suspicious behavior;
access management and access controls which aim to implement “least privilege” access;
protection of sensitive data through “at rest” and “in transit” encryption;
industry-standard monitoring and protection software;
a defined vulnerability management program;
periodic cybersecurity assessments, including with the support of independent third-party consultants;
developing plans for recovering from security incidents and maintaining business continuity in the face of cyberattacks; and
a cybersecurity incident response plan that provides controls and procedures to support timely and accurate reporting of cybersecurity incidents.
The Company’s cybersecurity program is integrated within the Company’s enterprise risk management program, which provides oversight and governance of cybersecurity risk through risk assessment, risk monitoring, and follow-through on stated objectives and investments to actively manage and remediate related risks.
57

The Company maintains arrangements with third party information infrastructure (IT) vendors—including “cloud computing” vendors. The Company has processes designed to manage cybersecurity risks arising from our use of such vendors, including conducting risk assessments prior to integration into the Company’s networks and additional assessments prior to contract renewals or extensions. Cybersecurity measures employed by significant third-party service providers are also assessed prior to introduction into our environment. The Company also commissions third-party risk assessments of certain IT vendors to identify and evaluate risks associated with each third party and to minimize potential disruptions and liabilities that may arise from external partnerships. We further manage potential threats to our systems originating with or associated with IT vendors by integrating cybersecurity requirements and other provisions into various contracts as applicable. Vulnerabilities in third-party software are monitored and managed through our vulnerability management program.
To date, the risks from cybersecurity threats have not materially affected the Company. Our cybersecurity program is designed to detect and prevent cybersecurity events that would have a material adverse effect on the Company. Despite our efforts, however, the threat of sophisticated, targeted computer crime poses a risk to the security of our systems and networks and the confidentiality, availability, and integrity of our data. Notwithstanding our efforts to protect intellectual property and confidential and personal information, our facilities and systems may be vulnerable to cybersecurity events. See “Item 1A. Risk Factors – Risks Related to our Business.
We maintain insurance covering certain costs that we may incur in connection with cybersecurity incidents, which we believe is commensurate with the size and the nature of our operations. However, the Company may incur expenses and losses related to a cyber incident that are not covered by insurance or are in excess of our insurance coverage.
Governance
The Company’s Chief Information Security Officer (“CISO”) is responsible for cybersecurity at the executive level. The CISO oversees a team of cybersecurity professionals responsible for assessing and managing our material risk from cybersecurity threats. The CISO works closely with the Chief Information Officer and reports to the Chief Financial Officer and Chief Administrative Officer. The CISO also leads a cross-functional Cybersecurity Incident Response Team (“CSIRT”) responsible for responding to and managing cybersecurity incidents. The CSIRT consists of professionals from various departments within SEI, including Information Technology, Information Security, Legal, Finance, Enterprise Risk Management, Human Resources, and other key business areas. The CISO has extensive expertise in cybersecurity, including over two decades of experience at a federal law enforcement agency, where responsibilities included technical risk management, information security, cyber investigations, incident response, and cyber strategy. In addition to the CISO’s professional background, the CISO maintains several relevant industry credentials, including ISACA Certification in Risk and Information Systems Control (“CRISC”) and ISC2 Certification in Information Systems Security Professional (“CISSP”).
The Audit Committee of the Company’s Board of Directors, which is wholly comprised of independent directors, is tasked with oversight of the Company’s enterprise risk assessment and risk management policies and guidelines, including cybersecurity. The Audit Committee receives quarterly cybersecurity updates from the Chief Information Officer and/or the CISO. Each update includes, among other topics, a summary of SEI cybersecurity events, vulnerability management, ransomware readiness, and global cybersecurity trends across industries. The Audit Committee also receives updates from Internal Audit, which report on cybersecurity in the context of enterprise risk management. The Audit Committee updates the Board of Directors as appropriate.
The Company maintains a process to escalate certain cybersecurity incidents promptly so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.