CBIZ, Inc. - (CBZ)
10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY.
CBIZ maintains a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. This program, which is integrated into the Company’s enterprise risk management system, includes the development, implementation, and maintenance of security measures and controls, as well as policies and procedures governing the operation of these security measures and controls.
The underlying controls of the cyber risk management program are based on recognized practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and the International Organization Standardization (“ISO”) 27002 framework and code of practice for information security controls to establish, implement, and improve an Information Security Management System focused on cybersecurity.
Cyber partners are a key part of CBIZ’s cybersecurity infrastructure. CBIZ partners with leading cybersecurity companies and organizations, leveraging third-party technology and expertise. CBIZ engages with these partners to
17
monitor and maintain the performance and effectiveness of third-party products and services that are deployed in CBIZ’s environment, to scan for potential vulnerabilities and to conduct penetration testing.
CBIZ’s IT Security Director reports to CBIZ’s Chief Information Officer and is the head of the Company’s cybersecurity team. The IT Security Director is responsible for assessing and managing CBIZ’s cyber risk management program, informs senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervises such efforts. The cybersecurity team has decades of experience selecting, deploying and operating cybersecurity technologies, initiatives and processes. Additionally, members of the cyber security team have extensive information technology and program management expertise and have earned various cybersecurity certifications. Finally, the cybersecurity team relies on threat intelligence as well as other information obtained from governmental, public or private sources, including external consultants engaged by CBIZ.
The Board of Directors oversees CBIZ’s cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The cybersecurity team briefs the Board of Directors on the status of CBIZ’s cyber risk management program, typically on a semi-annual basis.
CBIZ faces risks from cybersecurity threats that could have a material adverse effect on its business, financial condition, results of operations or cash flows. CBIZ has experienced, and will continue to experience, cyber incidents in the normal course of its business. However, prior cybersecurity incidents have not had a material adverse effect on CBIZ’s business, financial condition, results of operations or cash flows. See “Risk Factors – Risk Factors Related to Our Business and Industry – Cyber-attacks or other security breaches involving our computer systems or the systems of one or more of our vendors could materially and adversely affect our business.”