Alight, Inc. / Delaware - (ALIT)
10-K Filing Date: February 29, 2024
Alight recognizes the importance of developing, implementing and maintaining robust cybersecurity measures designed to safeguard our information systems and protect the confidentiality, integrity and availability of the data in our care. The Company utilizes a cross-functional group of colleagues representing various stakeholders including technology, security, finance, internal audit, legal and others to identify and manage risks across the organization, including risks relating to cybersecurity.
The Company’s cybersecurity program is focused on continuous improvement and takes a layered approach to cybersecurity to include prevention, detection, and response-based controls. Our preventative measures include network-based controls, malware defenses, email security, encryption for data in motion and at rest, continuous vulnerability testing and mitigation, and multi-factor authentication. Our detection and response measures include comprehensive logging and continuous monitoring utilizing both in-house and Managed Security Services, forensics capability, and an enterprise crisis management function.
To support the overall cybersecurity program, Alight maintains an incident management team that tracks and logs privacy and security incidents across Alight, our vendors, and partners to better manage remediation and resolution of any such incidents. Significant incidents are promptly reviewed by a cross-functional working group to determine whether further escalation is appropriate. Any incident assessed as potentially being or potentially becoming material is escalated for further review, and then reported to designated members of our executive leadership team where needed. We consult with outside counsel and forensics firms as appropriate, including on materiality analysis and disclosure matters, and members of our executive leadership team make the final materiality determinations and, if appropriate, disclosure to law enforcement, regulators or clients. Our executive leadership team apprises Alight’s Board of Directors and our independent public accounting firm of significant matters and any relevant developments.
Our cybersecurity frameworks are informed by third-party standards relevant to our industry such as the National Institute of Standards and Technology, the Center for Internet Security and the International Standards Organization. We regularly test our cybersecurity defenses through both automated and manual testing to identify, prioritize and remediate risk. Alight also engages third parties to examine and report on the effectiveness of our controls relating to our systems, including those used in the cybersecurity frameworks.
Our Chief Technology and Delivery Officer, Chief Information & Security Officer and Chief Legal Officer provide periodic reports on our cybersecurity and risk management efforts, including with respect to information security practices, to the Audit Committee of our Board of Directors (the “Audit Committee”), as well as to other members of our executive leadership team, as appropriate. These reports include updates on the Company’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape. Where appropriate, the Audit Committee then periodically reports to the full Board of Directors regarding the Company’s assessment of potential risk exposures and the steps management has taken to monitor and control such risks, which includes the Company’s cybersecurity program designed to prevent, detect, and rapidly respond to any potential incident.
In addition to our scheduled meetings, the Audit Committee and executive leadership team maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on significant developments in cybersecurity to facilitate proactive and responsive oversight. The Audit Committee is apprised of strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement helps drive integration of cybersecurity considerations into our Company’s broader strategic objectives.
Additionally, because Alight partners with a number of third parties in the ordinary course of business, our management team has developed and implemented processes to oversee and manage significant risks associated with use of third-party service providers. We conduct thorough security assessments of critical third-party providers before engagement and periodically monitor vendor compliance with our security standards. The monitoring includes periodic assessments by our vendor management team and use of an independent vendor risk rating service that alerts Alight when there is a change in a service providers security posture. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties.
Our Chief Information & Security Officer has over 30 years of experience in the cybersecurity industry, including, prior to joining Alight in 2021, as the SVP, Chief Information Security Officer at a multinational health insurance and health services company in the Fortune 100, and as head of cybersecurity for a U.S.-based financial services company in the Fortune 500, as well as for a federal banking institution and for a professional services company in the Fortune 500 specializing in information technology services. Our Chief Information & Security Officer reports directly to the Chief Technology and Delivery Officer and meets regularly with other members of senior management and the Audit Committee.
Our program is regularly evaluated by internal stakeholders and external parties with the results of those reviews reported to the executive leadership team and the Audit Committee, as appropriate. We also actively engage with key vendors, industry participants, and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures. Our results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance
25
that they will not be materially affected in the future by such risks or any future incidents. For more information on our cybersecurity related risks, see the Risk Factors in Item 1A. of this Annual Report.