KFORCE INC - (KFRC)
10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY.
Our cybersecurity program helps us secure our systems, keeps our business running around the clock and protects our clients, consultants, employees and shareholders from vulnerabilities and threats. With oversight from our Board, the Audit Committee and key leaders across Kforce, we have put proactive measures and systems in place to protect our information assets from unauthorized use or access. The Firm’s cybersecurity framework is based on the National Institute of Standards and Technology (“NIST”).
Management Oversight
Our Chief Information Security Officer (“CISO”) leads our Information Security and Data Privacy Council, which meets quarterly, or more frequently if necessary, to assess, identify and manage cybersecurity threats, support advocacy programs and advise our Chief Information Officer (“CIO”) and CISO on solutions. The council is made up of key members of senior management across the Firm, including enterprise security, human resources, legal, internal audit, finance, procurement, communications and field management.
Our Enterprise Security team monitors and manages system infrastructure to protect the Firm against threats. Our Cyber Risk Management program considers risks from many sources including, but not limited to, alerts, threat intelligence sources, risk assessments, and vulnerability management. Our Cyber Risk Management process includes risk assessment processes to identify risks, a risk evaluation process that includes risk acceptance or denial at all levels of the organization, and third-party vendor management where each vendor’s security posture is assessed to understand how it strengthens Kforce’s cyber supply chain. We have taken a defense in depth approach to the implementation of our cybersecurity controls. These controls are set to block and/or provide alerts on suspicious activities. Our around the clock security operation center responds as appropriate to risks identified, and performs the risk assessment and risk evaluation. Our risk register and risk remediation processes help us ensure we are tracking and addressing priority risks, as appropriate. Any potential risks or threats identified by the Enterprise Security team are communicated to the CISO and Information Security and Data Privacy Council.
Our Vice President of Internal Audit, in collaboration with our General Counsel, facilitates our enterprise risk management (“ERM”) process. Cybersecurity related risks are included in our overall risk evaluation for our ERM process to determine top risks for the Firm on an annual basis. Our internal audit team, which reports directly to the Audit Committee, uses the ERM program to develop a risk-based audit plan, which is approved by the Audit Committee annually.
Our CIO is accountable for the Firm’s cybersecurity and data privacy programs and is supported by the CISO. Our CIO and CISO have extensive information technology and program management experience, and have served many years in our corporate information security organization. Under the guidance of the CIO, the CISO manages day-to-day operations of the security and data privacy functions and proposes changes to the Firm’s cybersecurity strategy, which is part of our overall information technology strategy. The CIO and CISO meet frequently to discuss cyber and data operations, privacy programs and risks.
Each of these teams remain in close coordination to ensure risk mitigation strategies are designed and operating effectively.
Board Oversight
The Board is actively engaged in the oversight of cybersecurity and data privacy. The Audit Committee assists the Board in meeting its responsibility to oversee cybersecurity and data privacy strategies and practices. On a quarterly basis, the Audit Committee receives updates on (a) our progress meeting objectives established in our cybersecurity maturity roadmap, (b) relevant reported cybersecurity events in the overall market and evolving risks, (c) results of work performed by our information security organization (ex. penetration tests, cybersecurity program maturity assessments) and (d) detailed reports of cybersecurity trends within the Firm. We engage subject matter experts in conducting independent assessments of our cybersecurity program maturity, penetration tests, and other tests and assessments.
Senior management, including our CIO and CISO, brief the Board on an annual basis on our cybersecurity and information security posture and cybersecurity incidents deemed to have a moderate or higher business impact, even if it is considered immaterial to us. Annually, the Board and management participate in a comprehensive strategy discussion on cybersecurity.
12
To further enhance the Board and Audit Committee’s role in overseeing cybersecurity risks, the Board formed a special working group that is comprised of two members of the Audit Committee to have more frequent and detailed dialogue with executive management (including our COO, CFO, CIO, CISO and VP of Internal Audit) on all areas pertaining to cybersecurity. This working group provides updates on a quarterly basis, or more frequently if necessary, to the Audit Committee. As a result of the steps taken by the Firm with respect to our cybersecurity program, we have not experienced a material breach to date.
Management also provides the Audit Committee with an annual overview of Kforce’s various lines of insurance that we maintain, including our cybersecurity insurance policy. The Audit Committee provides the Board with quarterly reports on the Firm’s risks and ERM program findings, including cybersecurity risk and data privacy practices.
We face risks from cybersecurity threats that could have a material adverse effect on our business strategy. See “Risk Factors Risks Related to Cybersecurity and Technology – Cybersecurity risks and cyber incidents could adversely affect our business and disrupt operations.” in Part 1, Item 1A. Risk Factors of this report for a discussion of these risks. As a result, at least in part, of the steps taken by the Firm with respect to our cybersecurity program, we have not experienced a material breach to date.
Third-Party Vendor Management
Many of our information technology systems and networks are cloud-based or managed by third parties, whose future performance and reliability we cannot control. The risk of a cyberattack or security breach on a third party carries the same risks to Kforce as those associated with our internal systems. We seek to reduce these risks by performing significant vendor due diligence procedures prior to engaging with any third-party vendor who will have access to sensitive data. Additionally, we require annual audits of certain third parties’ information technology processes.