TrueBlue, Inc. - (TBI)
10-K Filing Date: February 21, 2024
Item 1C.
CYBERSECURITY
CYBERSECURITY RISK MANAGEMENT AND STRATEGY
We acknowledge the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things, harm to our candidates, associates, employees and clients; operational disruptions; violation of privacy laws and regulations; breach of confidentiality and other contractual obligations; litigation and legal action; financial and reputational harm. We leverage cybersecurity technologies and established processes, procedures, and controls to identify, assess, and manage material cybersecurity risks.
Risk assessments
Our Information Security Team, led by our Chief Information Security Officer (“CISO”), consists of a Cybersecurity function and a Governance, Risk and Compliance function, and is constantly monitoring for cybersecurity risks and assessing any such risks’ potential severity. This team employs a range of tools and services, including regular network and endpoint monitoring, vulnerability assessments, penetration testing and tabletop exercises to inform the company of potential risks and mitigation strategies. We also execute an annual enterprise risk management assessment, which includes cybersecurity threat risks in addition to other risk areas that could impact the company.
We use a risk-based approach that is aligned with the National Institute of Standards and Technology. We maintain policies and standards that provide the framework for assessing risk. We conduct an annual information security focused risk assessment, which leverages the process and control areas provided by the International Organization for Standardization (“ISO”) 27001. In September 2021, we received our ISO 27001 Information Security Management certification. In fiscal 2022 and 2023, management performed procedures to validate our continued conformity with the ISO 27001 standard and concluded that existing controls continued to operate effectively. In addition, we assess our cybersecurity threat risks by conducting periodic internal and external risk assessments and annual external penetration testing, as well as maintaining an active vulnerability management program to assess threats at the network, systems and application levels.
Page - 21
Ongoing activities
To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and protect against, detect, and respond to cybersecurity incidents, we undertake the following activities:
•Perform an annual review of all of our policies related to cybersecurity;
•Monitor emerging data protection laws and implement changes to our policies to remain compliant;
•Run tabletop exercises with the cybersecurity incident response team, including executive team members, to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies;
•Conduct regular phishing email simulations and quarterly security awareness trainings for all employees to enhance awareness and responsiveness to such possible threats;
•Require all employees to review and acknowledge the company’s information security policies upon hiring and annually thereafter;
•Leverage the company’s incident response plan framework and a full set of cybersecurity technology tools, processes and procedures including, for example, security incident and cyber event management, endpoint detection and response, extended detection and response, e-mail gateway, and vulnerability management to monitor any cyber threats and to proactively detect, respond and recover when there is an actual or potential cybersecurity incident;
•Carry insurance that provides protection against the potential losses arising from a cybersecurity incident;
•Conduct annual penetration testing of our external technology and systems perimeter, including remediation and retesting;
•Conduct security assessments for code level vulnerabilities of all our internally developed business-critical applications; and
•Engage independent third parties to perform penetration testing of select business applications.
Incident response
Our incident response plan identifies the key employees responsible for responding to a cybersecurity incident and coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
As part of the above processes, we regularly engage with assessors, consultants, auditors, and other third parties, including periodic third-party reviews of our cybersecurity program to help identify areas for continued focus, improvement and compliance.
Third-party risk management
Our polices and processes address cybersecurity threat risks associated with the use of third-party service providers, including those who access, use and/or store our client, candidate, associate and employee data or have access to our network and systems. Third-party risks are included within our enterprise risk management assessment program, as well as our information security-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform due diligence on third parties that have access to our systems, data or facilities that house such systems or data. This allows us to identify high-risk providers and continually monitor for cybersecurity threat risks appropriately. Additionally, we require contracts with all third parties that have access to our network and systems to include baseline security requirements for adequate data handling, as well as to provide the company with audit rights. Such contractual requirements are reviewed during each subsequent contract renewal process.
Additional information
We describe how the risks related to cybersecurity could materially impact our business strategy, results of operations, or financial condition, in more detail under the heading “Risks Related to Cybersecurity, Data Privacy and Information Security,” see Item 1A. Risk Factors of this Annual Report on Form 10-K.
Page - 22
In the last three fiscal years, we have not experienced any cybersecurity incidents that have materially impacted or are reasonably likely to materially impact our business strategy, results of operations, or financial condition.
CYBERSECURITY GOVERNANCE
Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management.
Our Innovation and Technology (“I&T”) Committee of the Board is responsible for the oversight of risks from cybersecurity threats. All of our Board members are members of the I&T Committee. At least quarterly, management provides the I&T Committee with updates regarding our cybersecurity risks, threats, and efforts focused on mitigating those risks. These updates are provided by our Chief Technology Officer (“CTO”) and our CISO, and include recent developments in cybersecurity, the company’s actual experience with cybersecurity incidents, and the systems and processes in place to defend against cyberattacks. Should a material or potentially material cybersecurity incident occur, the Board will immediately be notified of such event by the company’s CEO. Our CTO and CISO frequently communicate with affected business and finance leaders regarding any cybersecurity related event.
Our cybersecurity risk management and strategy processes are led by our CTO and our CISO. Such individuals have collectively over 25 years of prior work experience in various roles involving managing information security; developing cybersecurity strategy; and implementing effective information and cybersecurity programs, including governance, risk and compliance oversight for regulatory and contractual compliance. Such individuals are required by their job description to possess several relevant degrees and certifications, including the Information Systems Audit and Control Association (“ISACA”) Certified Information Security Manager and the International Information System Security Certification Consortium (“ISC2”) Certified Information Systems Security Professional certifications. These individuals are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.