EXPONENT INC - (EXPO)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

We recognize the critical importance of cybersecurity and data privacy in safeguarding our operations, sensitive data, and maintaining the trust of our stakeholders. Cybersecurity incidents and threats as potential risks that may impact our operations and information systems. We have developed and implemented cybersecurity and data privacy programs in accordance with the requirements of ISO standards 27001:2013 and 27701:2019, which are intended to appropriately preserve the confidentiality, integrity, and availability of information maintained by our company. These programs identify, select, maintain, operate, and improve cybersecurity and privacy controls.

We have implemented processes for assessing, identifying, and managing material risks from cybersecurity threats. These processes are designed to preserve the confidentiality, integrity, and availability of our information systems and the information residing therein. Our cybersecurity incident response plan is based on the NIST 800-61r2 “Computer Security Incident Handling Guide.” This plan is used to process security events identified through our real-time, 24x7 monitoring, and conducts security incident tabletop exercises. The incident response plan includes detailed steps for incident leadership, escalation to established partners, response protocols based on the type of incident, responsibilities for follow-up and reporting, and steps to capture lessons learned and improvement opportunities. Our vulnerability management processes include real-time monitoring for vulnerabilities and standardized reporting for managing remediation efforts. Our cybersecurity risk management processes are integrated into our overall risk management system to ensure alignment with our business objectives and strategies. We engage assessors, consultants, auditors and other third parties to execute certification audits, penetration tests, and security framework risk assessments. These external entities provide specialized expertise and insights to enhance the effectiveness of our cybersecurity risk management processes.

We have established processes to oversee and identify cybersecurity risks associated with our use of third-party service providers. We conduct due diligence assessments and evaluate contractual obligations to mitigate potential risks arising from third-party relationships.

Cybersecurity threats, including previous incidents, have the potential to materially affect our company, including our business strategy, results of operations, and financial condition. While we have not experienced material adverse effects from cybersecurity threats to date, we recognize the evolving nature of these risks and remain vigilant in our efforts to mitigate potential impacts.

Governance

Our Board of Directors provides oversight of risks from cybersecurity threats. The Security and Privacy Management Committee (the “SPMC”) consists of our Chief Financial Officer, General Counsel, Vice President of Information Technology, Chief Human Resources Officer, Director of Information Security and Director of Environmental Health and Safety. The SPMC is tasked with ensuring risks are adequately addressed within our governance framework.

We maintain a dedicated team of cybersecurity professionals. The Director of Information Security, the Information Security team, the SPMC, the Vice President of Information Technology, and the Information Technology leadership team are principally responsible for assessing and managing cybersecurity risks for our company. These individuals possess relevant expertise in cybersecurity risk management and are equipped to address the evolving nature of cyber threats. Our Director of Information Security has over 20 years of cybersecurity experience, holds several professional certifications and is an adjunct faculty member teaching courses on information security management and governance. Our cybersecurity professionals have a proven track record of executing strategic security objectives across various sectors, including utility, government, healthcare, and consulting. They bring with them experience in designing, implementing, and managing information security programs focused on quality, performance, and compliance.

Our information security team and our third-party security service providers actively monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents, ensuring timely response and resolution. Processes are in place to inform relevant management positions and committees about emerging threats and incident response activities. The Director of Information Security provides regular updates on cybersecurity risks and incidents to the Board of Directors, the SPMC, and IT leadership.

24