Spok Holdings, Inc - (SPOK)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
Spok's enterprise risk management program includes our cybersecurity risk management program ("Cybersecurity Program"), which is designed to protect the confidentiality, integrity and availability of our critical systems and information. Our Cybersecurity Program is designed utilizing guidance from the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and includes security policies and procedures, security appliances and software, third-party vulnerability testing, business continuity plans, and other administrative, physical and technical measures. Executive management, including Chief Information Officer (CIO)/Chief Information Security Officer (CISO) and VP Technology Operations, has overall responsibility for assessing and managing key cybersecurity risks; implementation of the Cybersecurity Program is led by key information technology and security management members, including the CIO/CISO who have over a combined four decades of experience, specialized training, and various certifications in information technology and cybersecurity strategy, tools and governance. As part of the enterprise risk management program, our Cybersecurity Program shares similar methodologies, reporting channels and governance processes to other areas across the Company.
The Cybersecurity Program includes, but is not limited to, the following processes that collectively help management to stay informed about and monitor the prevention, detection, mitigation and remediation of risks and incidents:
25
•Risk assessment program to assess, track and address security risks.
•Incident Response Plan to identify, evaluate, remediate and report incidents, as appropriate.
•Security testing by external third-party providers to identify potential threats and vulnerabilities.
•Reviews of critical third-party connections, including a security assessment and restrictions based on the third-party's risk profile.
•Security training for employees and contractors, including alerts for new security developments, as warranted.
Cybersecurity is part of our Board of Directors' oversight function. Our Board of Directors has delegated oversight of cybersecurity and other information technology to its Audit Committee. Our Audit Committee receives regular reporting from executive management on our cybersecurity risks and, as necessary, updates on cybersecurity incidents. Our Audit Committee and executive management report to our Board of Directors regarding its activities, including the Cybersecurity Program. Our Board of Directors also receives continuing education on the cybersecurity risks that impact public companies.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, which have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Item 1A. “Risk Factors –Cyberattacks, data breaches or other compromises to our or our critical third parties' systems, data, products or services could have a material adverse effect on our business.