PERDOCEO EDUCATION Corp - (PRDO)

10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY

The Company recognizes the critical importance of assessing, identifying and managing material risks associated with cybersecurity threats, as well as developing, implementing and maintaining effective cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity and availability of our data. We focus significant resources on protecting our technology infrastructure and the personal information therein regarding applicants, our students, their families, our alumni and our employees. Our principal cybersecurity risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks.

The Board of Directors, as a whole, oversees the Company’s risk management through both the Company’s enterprise risk management program and the internal audit function. To identify and assess material risks from cybersecurity threats, our enterprise risk management program considers cybersecurity threat risks alongside other Company risks as part of our overall risk assessment process.

The Board has delegated oversight of the Company’s management of cybersecurity risk to the Compliance and Risk Committee (the “Committee”). Directors with experience in cybersecurity are appointed to this Committee to assist in developing strategies and processes for protecting against, responding to, and remediating information security breaches. Those directors are Dennis Chookaszian, Patrick Gross and Leslie Thornton. The Committee reviews information security matters quarterly. In addition, the full Board regularly receives updates on cybersecurity matters from our Chief Information Officer, David C. Czeszewski, at each board meeting. The Chief Information Officer reports on, among other things, our cyber risks and threats, the status of projects to strengthen our information security systems, an assessment of the information security program, and the emerging threat landscape. Mr. Czeszewski has a Bachelor of Arts degree in business and computer studies and a Master in Business Administration. He has worked in the technology field since 1986, joined the Company in 2001, and has been its Chief Information Officer since 2013.

The Company also has a long-standing management-led Risk Committee (the “Risk Committee”) which is currently comprised of the President and Chief Executive Officer (who serves as the chair), Chief Financial Officer, General Counsel, Chief Compliance Officer, Chief Internal Auditor, Risk & Insurance Program Manager, Senior Vice President - American InterContinental University System, Senior Vice President - Colorado Technical University, Chief Information Officer and Vice President - Human Resources. The Risk Committee reviews enterprise-wide, business-unit specific and other discrete topic risk surveys and assessments, including cybersecurity risk. The Risk Committee reports identified cybersecurity risks, risk assessment and mitigation processes, effectiveness of risk management and related matters to the Committee.

We also have a cybersecurity specific risk assessment process, which helps identify our cybersecurity threat risks by comparing our processes to standards set by the Center for Internet Security (“CIS”). As part of these efforts to assess and mitigate the risks posed by cybersecurity incidents and cyber-attacks, we employ a range of tools and services, including regular network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises to help inform our cybersecurity risk identification and assessment. We also maintain an information security policy, which addresses privacy of student records under the Family Education Rights and Privacy Act of 1974 (“FERPA”), and require annual information technology security awareness training by employees. We also maintain a cybersecurity risk insurance policy as an additional element of our risk mitigation strategy.

We engage third-party experts to review our cybersecurity program to help identify areas for continued focus, improvement and/or compliance. These third-party experts perform periodic cyber assessments, including security assessments using the CIS Controls cybersecurity framework. Our processes address cybersecurity threat risks associated with our use of these third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk management assessment program, as well as our cybersecurity-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third party service providers. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risks to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate.

We describe whether and how risks from identified cybersecurity threats have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the headings “If we, our third-party vendors, our regulators or any other quasi-governmental organization we are required to report information to are subject to cyberattacks, data breaches or other security incidents, or if there is a disruption or failure of our information technology systems or software, such events could expose us to liability and could adversely affect our financial condition and operating results,” “The personal information that we collect may be vulnerable to breach, theft or loss which could adversely affect our reputation, operations and ability to attract and retain students,” and “Our remote work environment may exacerbate the risks related to our business technology infrastructure,” included as part of our risk factor disclosures within Item 1A of this Annual Report on Form 10-K. We have not encountered risks from cybersecurity threats, including as a result of any previous cybersecurity incidents in the last three

43


 

fiscal years, which have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition, and the expense we have incurred from cybersecurity incidents were immaterial.