FTI CONSULTING, INC - (FCN)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We operate our segments and their practices through FTI Consulting and its subsidiaries in 31 countries with different business, client, and geographic cybersecurity risk profiles. We aim to proactively identify and assess our vulnerability to cybersecurity threats and actual cybersecurity incidents on an ongoing basis at both the enterprise level, as well as at a more operational level, differentiating unique risks related to our segments, practices, clients, employees, and the locations in which business is conducted. Our Information Technology Group (“ITG”) closely monitors and analyzes cybersecurity incidents and risks and our progress mitigating and resolving such threats. This information is regularly discussed with our outside directors and executive management and other interested parties.
Approach and Integration
Cybersecurity risk is integrated and managed as part of our broader enterprise risk management program under the direction of our Vice President – Chief Risk and Compliance Officer – who works closely with our Chief Information Officer and others, including the Head of our Cybersecurity & Privacy division to identify, review, assess and address cybersecurity and other security risks. Our Chief Risk and Compliance Officer, Chief Information Officer and the Head of our Cybersecurity & Privacy division are members of the Company’s cybersecurity response team (the “Cyber Response Team”). The Cyber Response Team’s responsibilities include maintaining a Cybersecurity Incident Response Plan, which sets out a path for how cyber threats and incidents are identified and escalated up to and including the Board of Directors and other leadership, when appropriate. Direct threats are escalated promptly to the appropriate team, following a path that considers both the nature of the threat, the level of risk, and the degree to which it has been substantiated. Indirect threats, such as third-party incidents, are escalated through the ITG to the appropriate corporate functions, as the situation warrants.
Third-Party Engagement and Oversight
Where appropriate, we engage reputable third-party vendors to provide cybersecurity-related services, including security monitoring, risk evaluations, penetration testing, audit, and incident response services, which are aligned with internationally accepted frameworks. Our vendors are selected based on specific due diligence activities, such as evaluations of controls, policies, and processes of such vendors for protecting data, and resolving incidents, as well as entering into written contracts with such vendors that include terms addressing data security, privacy, and incident response expectations, responsibilities and liabilities, and termination rights of the parties. We routinely monitor vendor performance, review compliance with contract terms, and address concerns.
Further, our Vendor Code of Conduct addresses our expectations with respect to data security. When our Procurement group processes a vendor relationship involving information systems, various groups will review the vendor and its systems for
28
potential data security-related issues and risks associated with using the tools, technology, data processing and other services of such vendor. Our contracts include terms addressing the safeguarding of our data.
Incident Response Plan and Training
In the event of the detection of a potentially significant cybersecurity incident or threat, an escalation of cybersecurity threat, or changes with respect to a current incident, the Company has processes in place to notify relevant employees who assist in the response, as well as third-party vendors. Our ITG and management, in consultation with the Company’s third-party legal counsel and accountants, will assess materiality, informed by ongoing discussions about what criteria would constitute potential materiality considerations. The Audit Committee and necessary directors will be informed of all material events.
To educate our management, employees, and consultants, and mitigate the risk of human failure in exposing our Information Technology systems to cybersecurity threats from bad actors; management, employees, and consultants are required to complete on-line cybersecurity training annually. We also provide regular reminders to employees regarding suspicious emails or other communications and conduct periodic phishing simulations and remedial spot testing and training to reinforce recognition and response techniques.
In 2023, we conducted a tabletop training with an executive officer and an outside director simulating cybersecurity events and appropriate responses. We intend to continue to conduct such simulation training with this group on a periodic basis. Other directors and officers of the Company will be given the opportunity to participate in such training. In addition, our outside directors are encouraged to attend continuing education relating to cybersecurity. In 2023, two directors received certificates in cybersecurity oversight or emerging technologies.
Materiality of Risks
We are subject to and routinely face cyber-based attacks and attempts by hackers and similar unauthorized users seeking to gain access to or corrupt our information technology systems. As of December 31, 2023, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected us, including our business strategy, results of operations, or financial condition, or that we believe are reasonably likely to have such an effect over the long term. However, there can be no assurance that we will be able to successfully mitigate the negative impacts of cybersecurity threats in the future. Accordingly, we continue to prioritize our cybersecurity risk management despite the lack of identified material impacts to date.
Governance
Management and Board of Directors’ Role
The Audit Committee meets regularly with management to manage and assess risk exposures and potential damages related to information security, cybersecurity, and data protection and the steps management has taken to identify, monitor, and control such exposures, as well as associated mitigation and remediation action, and actions to continue our operations. Information distributed to and discussed with the Audit Committee includes data on cybersecurity incidents and risks, company-wide enterprise risks, training programs, risk assessments, internal controls, security software, incident response plans, and forward-looking information security and business continuity strategies. The Audit Committee reports directly to the Board of Directors on a quarterly basis.
Expertise of Management
Our Chief Information Officer, who has led our ITG since 1999, holds degrees in Cybersecurity Management and Policy and Information Management and is certified in various information security applications. The Head of our Cybersecurity and Privacy division has been with FTI since 2007 and has extensive experience in the cybersecurity field. The members of Cybersecurity & Privacy division have experience and education in cybersecurity, risk management, data assurance, and compliance. Among them they hold various certifications in information systems security and privacy. The practices and activities of our cybersecurity and information technology teams align with internationally accepted management frameworks.
Furthermore, we offer cybersecurity consulting as a service to clients. Our client-facing cybersecurity and information security experts periodically advise our cybersecurity and information technology teams regarding best practices. In addition, from time-to-time, they address our executives, directors, and other segment or regional leaders regarding complex issues faced by other companies that arise from data-security-related challenges. Among other things, they discuss new and evolving types and levels of threats and attacks, hacking and ransomware, foreign actors, risks driven by new and evolving technologies, including artificial intelligence, potential damages, and liability, and technological and other solutions potentially available to mitigate such risks, as well as other company responses. The existence of this team within FTI serves to aid in our ability to have current incident and threat intelligence that we can use to bolster our own security posture and defenses. Our cybersecurity
29
practice also provides us with supplemental incident response investigation services in partnership with independent, external consultants, as needed and as appropriate.
For additional information on the risks we face related to cyber and information security threats, please see the related risk factor in Item 1A. Risk Factors.