SP Plus Corp - (SP)
10-K Filing Date: February 28, 2024
We maintain an information security and cybersecurity program as part of our overall risk management program. Our information security and cybersecurity program is managed by a dedicated Chief Information Security Officer (“CISO”), who reports to our Chief Financial Officer ("CFO"). Our CISO has extensive expertise and eighteen years of experience in information security. In addition, the CISO’s team is responsible for leading the enterprise-wide information security and cybersecurity strategy, policy, standards, architecture and processes. Our information security and cybersecurity program identifies and prioritizes risks to appropriately analyze and manage our potential cyber-related threats. The CISO provides periodic, or as needed, reports regarding risks from cybersecurity threats to the Audit Committee (the “AC”) of the Board, as well as the Security Executive Committee, which includes our Chairman and Chief Executive Officer ("CEO"), CFO and other executive leadership. These reports include updates on our cybersecurity risks, the status of projects to strengthen our information security systems, assessments of the information security program and the emerging threat landscape. The CISO is responsible for leading the day-to-day assessment, identification and management of cybersecurity risks, while the Board, as a whole and through the AC, has responsibility for the oversight of risk management, including cybersecurity risk. The Board, in its risk oversight role, is responsible for determining that the risk management framework and supporting processes as implemented by management are adequate and functioning as designed. The Board is actively involved in the oversight of key risks inherent in our business and routinely reviews our strategic plan and the related key risks, including the output of our enterprise risk management process, which includes risks related to cybersecurity.
In addition to the CISO’s and Security Executive Committee's review, cybersecurity risks are regularly assessed by two other internal information security sub-committees, as well as a third-party security consultant. The results of those reviews are reported to our Security Executive Committee, the AC and the Board. The third-party security consultant discussed above has extensive industry expertise in security and risk management. In addition, as part of our cybersecurity program, we evaluate all of our third-party vendors for any material cybersecurity risks and only contract with third-party vendors that have the controls that we believe are appropriate to have in place to protect against cybersecurity risks and threats. As of the date of this report, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. See Part I, Item 1A. Risk Factors of this Form 10-K under the heading “Risk Factors” for further discussion.