LAUREATE EDUCATION, INC. - (LAUR)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

We have implemented processes for overseeing, identifying and managing material risks from cybersecurity threats and have integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level and that cybersecurity risk remains a key component of management activities, including continuously assessing, identifying, and managing material risks from cybersecurity threats.

Our management, with input from our Board of Directors, performs an annual enterprise-wide risk management (“ERM”) assessment to identify and manage key existing and emerging risks for our company. Our ERM process assesses the characteristics and circumstances of the evolving business environment at the time and seeks to identify the potential impact, likelihood and velocity of a particular risk. Our senior executive management team has the overall responsibility for, and oversight of, our ERM process, and senior executives are assigned to monitor and manage top identified risks. Cybersecurity is among the top risks identified for oversight as a result of our last annual ERM assessment.

Systems and process monitoring are essential components of our cybersecurity risk management and information security programs. Management utilizes industry standard tools and procedures to monitor the information security of systems, networks
27


and information assets, regardless of geographic location, and has implemented key policies and procedures, including but not limited to cybersecurity threat detection and analysis, a framework for materiality determination and a reporting-up process to assist in a disclosure of a material event, if required. In addition, management has defined key roles and responsibilities within our organization to handle material cybersecurity incidents. A comprehensive incident response plan is utilized for any threat activities identified, including timely containment, analysis, remediation, and communication, and is also applicable to third parties with access to our information systems or assets. We have implemented security programs, such as mandatory cybersecurity awareness training for all our employees, simulated phishing emails and tabletop exercises, that are strategically designed and continuously updated to address evolving cybersecurity threats and latest industry trends. These programs, which are held multiple times a year, allow our employees to both identify and address material cybersecurity incidents, utilizing our comprehensive incident response plan.

Recognizing the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors, consultants and auditors in evaluating and monitoring our cybersecurity programs and assets. This enables us to leverage specialized knowledge and insights, ensuring our cybersecurity risk management, strategies and processes remain at the forefront of industry best practices.

Because we are aware of the risks associated with third-party service providers, we have implemented processes to oversee and manage these risks, including security assessments of all third-party providers before engagement. In addition, cybersecurity program maturity of such third parties, including incident response and disclosure, is also evaluated.

To date, our business strategy, results of operations or financial condition have not been materially affected by risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. The sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient. For more information on our cybersecurity related risks, see “Item 1A—Risk Factors—Risks Relating to Our Business” in this Annual Report on Form 10-K.

Governance

Our Board of Directors has established oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats because we recognize the significance of these threats to our operational integrity and stakeholder confidence.

The Audit and Risk Committee assists the Board of Directors in its responsibilities of overseeing cybersecurity risk. Our Chief Operating Officer (“COO”) and Chief Information Security Officer (“CISO”) play a pivotal role in informing the Audit and Risk Committee on cybersecurity risks. They report to the Audit and Risk Committee on a quarterly basis on a broad range of topics, including assessments and scoring of our information security program; incident management, the incident response plan and the status of security tools; the current cybersecurity landscape and emerging threats; and the status of ongoing cybersecurity awareness and training and projects to strengthen our information security systems. Additionally, our Executive Director, Internal Audit presents a quarterly report on our enterprise risk management activities, including cybersecurity risks, to the Audit and Risk Committee. The chair of the Audit and Risk Committee, in turn, periodically reports on its review with the Board of Directors, and our COO and CISO report annually to the Board of Directors regarding our cybersecurity program and risk management.

Our CISO (who also serves as our Chief Information Officer) leads our information security organization and has primary responsibility for information security strategy, policy and managing our cybersecurity threat detection and response plan. With over 25 years of experience in information security, IT infrastructure and cybersecurity and with several industry certifications such as the Certified Chief Information Security Officer certification, our CISO brings a wealth of expertise to the role. Our CISO oversees our cybersecurity governance programs, monitors and assesses cybersecurity threats, monitor compliance with industry best practices and standards, and leads our ongoing employee cybersecurity training and awareness program.

28