APi Group Corp - (APG)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY

We recognize the critical importance of maintaining the safety and security of our information systems and data and have a holistic process for overseeing and managing cybersecurity and related risks. This process is supported by our senior leadership team, the Audit Committee, and our Board of Directors.

The responsibilities of the Chief Information Officer ("CIO") include overseeing cybersecurity measures with the global Chief Information Security Officer ("CISO"). The CIO's background includes nearly 18 years of IT leadership at a major medical technology company and experience in various industries such as financial services, manufacturing, oil and gas, and chemicals. He holds an undergraduate degree in Management Information Systems from Augsburg University and a Master of Business Administration from Carlson School of Management at the University of Minnesota.

The CISO, who reports to our CIO, is generally responsible for management of cybersecurity risk and the protection and defense of our networks and systems. The CISO manages a team of professionals with broad cybersecurity experience and expertise. Our CISO has served in various roles in information technology and information security for over 20 years and holds an undergraduate degree in Information Systems from Xavier University and an MBA from Michigan State. The CISO and his regional security leaders have a combined total of over 25 Information Technology and Cybersecurity certifications, including Certified Information Systems Security Professional, Certified Cloud Security Professional, and Certified Information Security Manager.

The CISO and the cybersecurity team are committed to ongoing education and professional development, regularly participating in training programs and industry conferences to stay abreast of the latest cybersecurity trends, threats, and mitigation strategies.

The CISO has appointed experienced security leaders over the North America and International regions to create additional alignment and collaboration.
Risk Management and Strategy

Our cybersecurity risk management program primarily leverages the National Institute of Standards and Technology Cybersecurity framework (NIST CSF). We routinely assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation. Our risk management program also assesses third party risks to attempt to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. As part of our cybersecurity risk management program, we also gather Threat Intelligence through our multiple security partners and tools. This intelligence (including tactics, techniques and procedures used by cyber criminals) provides insights into potential threats and vulnerabilities, which helps us to defend against cyber-attacks.

As part of our cybersecurity risk management system, our incident management teams track and log privacy and security incidents across the Company. Significant incidents are reviewed by a cross-functional and multi-disciplinary working group to determine whether further escalation is appropriate. Any cybersecurity incident that meets certain pre-established criteria is reported to our Executive Crisis Management Team ("ECMT"), which includes members of the Company’s senior leadership team. The ECMT maintains an ongoing relationship with third-party advisors, such as forensic and incident management, crisis communications, and legal advisors, which we engage as necessary based on the specific facts of an incident. Incidents are evaluated to determine materiality for external reporting purposes as well as operational and business impact.

Assessment of our Program

We regularly test defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing our operational policies and procedures with third parties. Our IT security team monitors alerts and meets as needed to discuss threat levels, trends, and remediation.

29

We periodically perform simulations and tabletop exercises with the senior leadership team and incorporate external resources and advisors as needed. As part of those tabletop exercises, we review our Executive Cyber Crisis Management Plan, which is intended to provide senior leadership with operational structure and key considerations in the event of a cybersecurity incident. We also conduct employee training for Cybersecurity through our online learning management systems, regular communications, and other interactive education, such as phishing simulations.

In addition, our cybersecurity policies, standards, processes and practices are regularly assessed by consultants and external auditors. These assessments include a variety of activities including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness.

Governance

Our commitment to cybersecurity begins at the Board, includes our Audit Committee, and extends to our senior leaders across the company. Our Audit Committee oversees our enterprise risk management process. The Audit Committee’s responsibilities include regular review of policies and practices with respect to risk assessment and risk management – including in the areas of cybersecurity and other information technology risk and privacy. The Audit Committee performs an annual review of the Company’s cybersecurity program and reports to the Board on the results of that review. Material cybersecurity incidents are discussed with our Audit Committee and Board of Directors.

Cybersecurity Risk

Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Item 1A Risk Factors of this Annual Report on Form 10-K.