ASGN Inc - (ASGN)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
A process for assessing, identifying, and managing cybersecurity related risks is integrated into our overall enterprise risk management (“ERM”) process. Cybersecurity related risks are included in the risk universe that the ERM process participants evaluate to assess top risks to the Company on an annual basis. The Audit Committee of the Board oversees the ERM annual risk assessment. Furthermore, as a digital innovation and transformation company, we are committed to our ever-evolving cyber protocols that safeguard our people, clients, and data. Every year, we assess our approach to information and physical security, risk management, incident response, business continuity management, and personal data privacy and protection.
ASGN takes an enterprise approach to data protection and cybersecurity, focusing on continual process and technology improvements to enable safety, security, and information privacy. All ASGN’s brands align to the Department of Defense’s Cybersecurity Maturity Model Certification (“CMMC”) 2.0 framework and have implemented common technology and data protection and cybersecurity controls and processes, which provides a unified approach to our cybersecurity measures. We have invested in endpoint protection, cloud security, vulnerability management, and data loss prevention, featuring insider threat detection, we also conduct regular threat actor risk assessments and assess the risk posed by third-party vendors. Further, ASGN conducts penetration tests to detect potential security gaps in cloud and on-premise systems. These tests continuously simulate cyber-attacks on physical hardware, network endpoints, and critical applications such as Oracle, SQL and web services.
ASGN maintains a vigilant approach to cybersecurity and operational readiness, with cybersecurity practices designed to reduce the impact of any incident. ASGN has business continuity and disaster recovery policies. Our plans are tested annually to confirm critical business functions can continue with minimal disruption in unforeseen circumstances.
We conduct regular internal and external audits to adhere to our security policies and procedures and identify improvement areas. Our audits include: annual audits conducted by third-party service providers, internal audits, compliance audits, risk assessments, and incident response audits. In addition to these audits, ASGN collaborates with industry partners, law enforcement agencies, and government organizations to share intelligence and best practices related to cybersecurity. This collaboration helps us stay ahead of emerging threats and continuously improve our security posture.
In 2023, ASGN has not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial conditions.
Governance
ASGN’s data protection and cybersecurity governance structure enables transparency and visibility to key stakeholders: the Company's Board and its Strategy and Technology and Audit Committees, and the Company's Chief Executive Officer. The Board's Strategy and Technology Committee focuses on technology and cybersecurity, while the Board's Audit Committee reviews data security breaches or other issues. Each committee reports to the full Board regarding its activities, including those related to cybersecurity. The full Board also receives briefings from management on our cyber risk management program. Board members receive presentations on cybersecurity topics from the Company's chief information officers across our brands ("CIOs") and external experts as part of the Board's continuing education on topics that impact public companies.
Two key enabling bodies, ASGN’s Enterprise Security Council and the Security Operations Center (“SOC”), have primary responsibility for our overall cybersecurity risk management program and provide the structure necessary to set policy and direction as well as operationalize our required security posture.
•Our CIOs lead our internal Enterprise Security Council collectively representing ASGN and its Segments which reports to our Chief Executive Officer and the Board's Strategy and Technology Committee. These leaders bring a wealth of experience in security operations, business process re-engineering, software development, ERP systems, and the management of multinational wide area networks. Complementing this expertise, the Enterprise Security Council includes a dedicated team of Cybersecurity Information Professionals (CISP), consisting of brand-specific system engineers and security administrators. The council's primary mandate is to formulate comprehensive data protection and cybersecurity policies for ASGN, oversee the management of emerging security threats, proactively mitigate security risks, and safeguard our valuable assets.
•ECS Federal, LLC ("ECS"), ASGN’s Federal Government Segment, plays a vital role in safeguarding ASGN through its essential security control function. Serving as a managed services provider for both clients and internal operations, ECS oversees the SOC which is dedicated to monitoring, detecting, and responding to cybersecurity threats across our organization. Operating 24 hours a day, seven days a week, our SOC diligently filters system logs, leveraging proprietary AI/ML tools to identify global threats. We conduct continuous active hunts and forensic analysis inspections on our network, proactively seeking out malware and intrusions.
14