CRA INTERNATIONAL, INC. - (CRAI)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Our cybersecurity program and policies establish the responsibilities of individuals and committees tasked with oversight of security risk management and provide broad directives that support implementation for identifying, assessing and managing risks from cybersecurity threats. We conduct an annual information security risk assessment which includes a review of the organization’s performance of administrative, technical and physical safeguards protecting personal and confidential information. Information security related policies are reviewed on an annual basis and approved by the owners of each functional area.
We engage independent third-parties to conduct ethical hacks of key systems, aiding our understanding of control effectiveness and facilitating the implementation of more robust controls. We periodically engage with a third-party assessment firm to conduct reviews of our overall program and to examine our security controls to help us better align our cybersecurity program with industry standards. To monitor and decrease the risks from cybersecurity threats associated with our use of third-party service providers, potential new vendors with a greater degree of system or data access are subjected to a security vetting process prior to engagement. Existing critical vendors that store or process company or client information are reviewed annually through commercially reasonable efforts.
Management and Board Oversight
Our management is responsible for the day-to-day management of the risks that we face, while our Board of Directors, as a whole, has responsibility for the oversight of our enterprise risk management. Under the oversight of the Board of Directors, cybersecurity risk is managed under the direction of our Information Security department, the ISC and the Enterprise Risk Committee (“ERC”). The ISC is a standing committee that acts as a point of escalation for security incidents and is headed by our Chief Information Officer (“CIO”). Our CIO has over 20 years of experience in the IT field, holds a Bachelor of Science in Information Systems and is MCSE certified. Other members of the ISC include IT senior leadership, IT operations and corporate management and a member from our Forensic & Cyber Investigations practice. Other members of the ISC have work experience related to information security issues and/or hold industry certificates, including Certified Information Systems Security Professional (CISSP). The ERC is a standing committee providing oversight on overall enterprise risk. The ERC is chaired by our Chief Legal Counsel and is composed of representatives from senior management. The Board of Directors receives regular updates and reports from members of senior management regarding our cybersecurity risks and protection measures, including any notable cybersecurity incidents, and evaluates risks posed by cybersecurity threats.
Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats
In the event of a cybersecurity incident which jeopardizes the confidentiality, integrity, or availability of our information and technology infrastructure and systems, we utilize a regularly tested incident response plan. The plan defines an organized approach to dealing with cybersecurity incidents, and identifies roles, responsibilities and escalation protocols. The plan is designed to provide an orderly response to incidents, minimize impact, initiate appropriate communications internally and externally, and identify recommendations to mitigate future incidents.
Cybersecurity incidents may be detected through a variety of means, including employee notification to our IT personnel, notification from external parties (e.g., customers, vendors, or service providers), and automated event-detection notifications. Once a potential cybersecurity incident is identified, IT personnel assigned to the incident assess the severity of the event and sensitivity of any compromised data and follow the reporting and escalation procedures set forth in the incident response plan. Events that could have a high impact or that require additional judgment are escalated to the Information Security Council (“ISC”). The ISC designates an incident response team to continue investigation of the incident to determine the extent of exposure and damage, and works to contain the damage and isolate the affected system, apply security measures and ultimately recover systems.
Should a cybersecurity incident be escalated to the ISC, the ISC notifies the Chief Legal Counsel in his capacity as chair of the ERC. In the event of a material cybersecurity incident, the Chief Legal Counsel, as chair of the ERC, would inform the Board of Directors or the executive committee thereof.
Cybersecurity Risks
As of December 30, 2023, we have not had any material incidences involving cybersecurity attacks. However, we face risks associated with cybersecurity threats. Although we make efforts to maintain the security and integrity of our networks and systems, and the proprietary, confidential and personal information that resides on or is transmitted through them, and we have implemented various cybersecurity policies and procedures to manage the risk of a cybersecurity incident or disruption as described above, there can be no assurance that our security efforts and measures will be effective or that attempted cybersecurity incidents or disruptions would not be successful or damaging. See “Risk Factors–Risks Related to Our Client
20
Relationships–Information, technology systems or service failures, or a cybersecurity attack or other compromise of our or our client's confidential or proprietary information, could have a material adverse effect on our reputation, business and results of operations.”