NATIONAL RESEARCH CORP - (NRC)
10-K Filing Date: February 27, 2024
Cybersecurity
We have a robust information security program to safeguard our information and systems as well as third parties that create, receive, or transmit our information or are critical to our operations. The controls within the program are constantly updated to adapt to technological advancements, regulatory changes, and operational needs, ensuring that we uphold our strict standards and unwavering commitment to maintaining confidentiality, integrity, and availability of our valuable information assets.
Risk management & strategy
Our information security program, including cybersecurity risk management is integrated into our overall Enterprise Risk Management Program (“ERMP”) framework. Our ERMP assesses strategic, operational, and environmental factors to identify key and emerging risks across the organization including cybersecurity risks. A key risk matrix is maintained to evaluate the potential impact of key risks and monitor the effectiveness of mitigation and controls. We, our customers, suppliers, and subcontractors face cybersecurity risks such as phishing, ransomware, zero-day exploits, malware attacks, and social engineering attacks. A cybersecurity incident impacting us or our subcontractors could materially adversely affect our performance and results of operations. For more information on about the cybersecurity risks we face, see the factors set forth under the caption “Risk Factors” in Part I, Item 1A of this Annual Report on Form 10-K.
Our cybersecurity risk management procedures encompass comprehensive administrative, technical, and physical security measures. Our Security Team meets, subscribes to intelligence sources, and actively participates in professional organizations to stay informed and have reliable access to the latest information on emerging threats and vulnerabilities. We utilize both internal tools and third-party resources to perform risk and vulnerability assessments, as well as penetration testing. This includes a comprehensive managed security service that operates 24/7, dedicated to scanning and analyzing potential threats. Our Contractors and Third Parties Policy requires certain vendors to undergo annual reviews including security assessments and site visits. Additionally, our subcontractor agreements require that they report any security incidents. Risk assessment results and recommendations are documented in our risk register, reported, and closely monitored by our security team. Annually, we engage independent auditors to issue a System and Organization Control (SOC) 2 - Type II report based on their examination of our critical systems used to provide services to our clients for the suitability of design and operating effectiveness of controls.
Governance
The Board of Directors has the responsibility to oversee our enterprise risk management framework and associated policies and procedures. The Audit Committee of the Board has been assigned the responsibility to inquire of management, the independent accountants and the internal auditor about significant risks and exposures, including risks and exposures relating to data privacy, information security, and cybersecurity, and assess the steps management has taken to minimize such risks and exposures; and to make recommendations to the Board, as and when appropriate, as to the scope, direction, investment levels, and execution of the our data privacy, information security and cybersecurity initiatives.
Our Enterprise Risk Management Committee (ERMC), which includes certain associates with data privacy, information security, and cybersecurity experience, supports our Board of Directors in this oversight. The ERMC reports to the Audit Committee of the Board of Directors. The ERMC manages the ERMP and provides regular updates to the Audit Committee regarding our key risk tolerance scorecard results and ERMP developments. Our Chief Security and Privacy Officer (“CSPO”) also reports to the Audit Committee on a regular basis, providing an Information Security Report, which includes information such as our information system risk profile, our top risk challenges, and security initiatives and strategies. Additionally, the ERMC communicates emerging risks and the mitigation of those risks to the Audit Committee, among other things. Significant cybersecurity matters, and strategic risk management decisions are elevated to the overall Board of Directors to enable oversight and guidance on critical cybersecurity issues.
Our CSPO, Dr. Cris V. Ewell is an ERMC member and has primary responsibility for our Information Security Program, including the maintenance and enforcement of our security policies. Dr. Ewell serves as an advisor to our leadership team, assisting them in optimizing security measures, mitigating risk, fortifying defenses, and minimizing vulnerabilities. Dr. Ewell develops written policies and procedures and conducts training to ensure our entire organization is well-protected. He is responsible for overseeing and executing the strategic plan for our data protection program, information security systems, compliance, computer networks and business continuance/disaster recovery. Additionally, Dr. Ewell actively participates in project management duties and manages information security integration efforts, working closely with internal teams, vendors, subcontractors, and clients. Dr. Ewell has over 25 years of experience in information security and spent over 20 years in CISO or equivalent roles. He previously held CISO positions at PEMCO Corporation, Seattle Children’s Hospital and University of Washington Medicine before joining us as our Chief Security and Privacy Officer. He has worked as an Adjunct Professor specializing in risk management and operational controls courses throughout his career. Dr. Ewell is an Associate Professor currently teaching graduate information and technology security courses at City University of Seattle. He was named as one of the Top 100 CISOs by CISOs Connect in 2021 and Becker’s Hospital Review CISO’s to know in 2018-2020.