BRIGHT HORIZONS FAMILY SOLUTIONS INC. - (BFAM)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
We recognize the critical importance of maintaining the safety and security of our information technology systems and data. Management’s approach to assessing, identifying and managing cybersecurity and information security risks and threats is embedded in our overall Enterprise Risk Management (“ERM”) program. Management, in turn, reports up to our Board of Directors (the “Board”), which is responsible for oversight of risk, including with respect to cybersecurity threats.
Board and Management’s Role and Expertise and Oversight of Risk Management and Strategy
Our information technology (“IT”) department, which maintains our cybersecurity function, is led by our SVP, Chief Information Officer (“CIO”), who reports directly to our Chief Executive Officer, and has over 25 years of broad IT and digital transformation experience leading large technology organizations and product teams with expertise in IT organizational leadership, network and cloud infrastructure, and enterprise engineering and technology. Our VP, Chief Information Security Officer (“CISO”) reports directly to the CIO, and is responsible for managing our risks from cybersecurity threats, protecting and defending our networks and systems, and overseeing our Information Security Office. Our CISO has over 20 years of experience leading cybersecurity and information security departments and manages a team of professionals who have broad industry experience and expertise, including disaster recovery, IT risk management, detection and mitigation technologies, incident response, threat management, and regulatory compliance, and who hold industry recognized certifications, such as the Certified Information Systems Security Professional and Certified Risk and Information Systems Control.
Our CISO, under the supervision and direction of the CIO, is responsible for developing and implementing our information security program. Our Executive Committee, made up of senior leaders throughout the organization, including our CIO, receives periodic reports from our CIO on both the state of our IT department and Information Security Office and on our cybersecurity programs.
Our Board administers its risk oversight role directly and through its committee structure. While our Board has ultimate responsibility for overseeing our cyber risk, our Audit Committee oversees risks related to cybersecurity threats, data protection, data privacy and business continuity. Our Audit Committee regularly discusses and, at least annually, reviews with management, including our CIO, CISO, Global Privacy Officer, our cyber, information security, and data privacy risks and programs. This review includes risk assessments, the implementation of policies, procedures, processes and controls for the management of risks, management’s actions to identify and detect cyber threats and incidents, results of tests and assessments and updates on our programs to manage disaster recovery, data privacy and compliance. Our management team also provides updates to the Board as needed. For instance, during the December 2022 cybersecurity incident, our Board and Audit Committee were regularly updated, and our Audit Committee provided oversight and feedback with respect to management’s investigation of, and response thereto, including internal and third-party investigations, public or governmental disclosures and our remediation efforts.
28
Our IT department and Information Security Office, supported by our Global Privacy Office, regularly evaluate cybersecurity risks. Cybersecurity risks are considered within our ERM framework, which are assigned risk owners to develop and manage mitigation programs. Our annual ERM program is reviewed and overseen by the Audit Committee and is presented to the Board annually. We maintain an internal Privacy and Security Steering Committee, co-chaired by our CISO and Global Privacy Officer and made up of members from IT, legal, privacy and international operations, and which is tasked with review of, and oversight over, our privacy and data security programs, policies and strategy. Our Governance, Risk and Compliance Committee, made up of members of legal, operations, human resources and internal audit as well as our CISO, provides additional support for enterprise risk management assessment and governance by monitoring our ERM program, and engaging with compliance functions across the organization to identify gaps, support corrective action plans and promote best practices. Our internal control over financial reporting, including key business process controls and IT general controls, are reviewed and tested by our Internal Audit function annually.
Assessment, Identification and Mitigation of Cybersecurity Threat Risk
Our cybersecurity threat strategy is based on prevention, detection and mitigation using layered defenses, continuous assessment and monitoring, vulnerability scans, end-point detection and response and regular defense testing through simulations, penetration tests and table top exercises. While our cybersecurity policies, practices and programs may vary by location or by service, our overall cybersecurity risk management program leverages the ISO 27001 framework. Our Information Security Office regularly monitors alerts and threat levels, trends, and remediation efforts, conducts post-incident reviews, conducts maturity testing to assess our processes and procedures and the threat landscape, reviews our operational policies and procedures, and conducts an annual risk assessment as described above. We believe that these steps are useful tools in identifying and assessing risks, giving our team key information and insights used to manage those risks to help protect our clients, families, employees, vendors, investors, and our data and intellectual property.
Employees are required to complete a cybersecurity training at least once a year specific to their role and we also require employees in certain other roles to complete additional role-based, specialized cybersecurity trainings. We have a set of policies and procedures addressing information security concerns governed by the Written Information Security Program (WISP) framework, other policies that directly or indirectly relate to cybersecurity, such as encryption standards, antivirus protection, remote access, multi-factor authentication, confidential information as well as policies related to the use of the internet, social media, email and electronic devices. These policies go through an internal review process and are approved by our internal Policy Board or Privacy and Security Steering Committee. We currently maintain a System and Organization Controls (“SOC”) Type 2 report for material applications and ISO 27001 and ISO 27701 certifications for the U.S. and U.K. Annually, our Internal Audit function conducts a security audit in accordance with the ISO 27001 framework.
Third parties also play a role in our cybersecurity risk management and strategy. We contract with a third-party cybersecurity incident response team to assist in the management of cybersecurity threats. We also engage and rely on third-party cyber and information security providers for cybersecurity applications and infrastructure to protect our network, systems and data.
Incident Response and Reporting
In the event of a cybersecurity incident, we follow an Incident Response Manual and process led by our CISO which governs our assessment, response, and notifications process, internally and externally. Depending on the nature and severity of an incident, this process includes review by an incident response team, made up of members of the Information Security Office, with escalating notifications up to our CIO, Legal Department, CFO, and CEO followed by our Audit Committee Chair and the full Board.
Oversight of Third-Party Providers
When engaging with third-party providers or suppliers with access to our network, systems or data or a third party providing cybersecurity support or infrastructure, we assess and evaluate their cybersecurity preparedness. Depending on location and level of access to data, vendors complete an information security questionnaire and/or provide a SOC 1 or SOC 2 report and, for vendors unable to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness. We also include security and privacy addenda in our supplier contracts where applicable. Our assessment of cybersecurity threats associated with our third-party providers is part of our overall cybersecurity risk management framework.
Impact of Cyber Risk on our Business
We face a number of cybersecurity risks in connection with our business. We continue to invest in the security and strength of our networks and to enhance our internal controls and processes, which are designed to help protect our systems, infrastructure, and data. To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, such as the December 2022 cybersecurity incident, have not materially affected our business strategy, results of operations or financial condition. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. For more information regarding the risks we face from cybersecurity threats, please see Item 1A, “Risk Factors.”
29