Donnelley Financial Solutions, Inc. - (DFIN)
10-K Filing Date: February 20, 2024
A core aspect of the Company’s business relies on technology and software; as a result, the security of those technologies and software, as well as the protection of the confidential information entrusted to the Company by its customers, are key components of the Company’s business and strategy. DFIN maintains many processes for identifying, assessing and managing material risks from cybersecurity threats. These processes are applied throughout the organization and are monitored, updated and assessed. DFIN has developed cybersecurity risk management processes that are integrated into the Company’s overall risk management system and designed to be comprehensive. Risk management committees such as the Enterprise Risk Management Committee and the Ethics and Compliance Committee regularly review the Company’s policies and procedures governing cybersecurity. These policies and procedures inform protocols that align cybersecurity risk assessment and mitigation to evolving risks and threat vectors that impact broader enterprise risk categories, promoting a comprehensive approach. These processes include the identification, assessment and management of material risks that are derived from cybersecurity threats.
DFIN engages assessors, consultants, auditors and specialized third parties to enhance the Company’s cybersecurity posture. These collaborations provide evaluations, audits and insights to fortify DFIN’s resilience against evolving cyber threats. The DFIN Cybersecurity Program is based upon industry leading frameworks, which include International Standardization Organization (“ISO”) 27001, Control Objectives for Information Technology (COBIT). The Company’s technologies and software must also comply with domestic and international regulatory and legal requirements. Ensuring that these technologies and software comply with those regulations is a key focus of the Company’s efforts. DFIN has cyber incident response partners that conduct penetration testing and other exercises throughout the year whereby cybersecurity controls effectiveness is evaluated and reported to management. DFIN engages a third-party auditor to ascertain its cybersecurity risk management effectiveness as a part of its enterprise ISO 27001 certification process. The ISO 27001 certification process is highly proscribed and covers cyber risk management methodology, risk assessment and risk treatment. DFIN has adopted the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and engages a consultant to periodically assess the Company’s NIST CSF profile and maturity.
23
The Company leverages cybersecurity technologies designed to provide for the security of client, employee and business confidential data. The Company’s cybersecurity portfolio is inclusive of, but not limited to, data encryption, data masking, leading secure software development methodologies, application and network penetration testing, incident response, digital forensics, least-privileged access controls, anti-malware, end-point detection and response, virtual private networks and cyber threat intelligence. In addition, the Company manages a 24x7 Security Operations capability that monitors and responds to cyber threats in real-time.
DFIN manages and continues to mature a comprehensive third-party risk management program, referred to as “Supply Chain Security.” The program evaluates critical suppliers for inherent risk and classifies suppliers according to the overall risk they present to the Company. The processes also include evaluating existing suppliers and third parties for ongoing risk. The classification rating determines the frequency in which suppliers are evaluated. For example, those identified as critical suppliers are continuously monitored and assessed. Other supplier reviews occur on an annual basis or other cadence. Generally, these reviews include an evaluation of the effectiveness of a supplier or third party’s cybersecurity along with the risks associated with adding and/or integrating this third party into the DFIN ecosystem. New and existing suppliers that were determined to pose a material risk may be rejected or have their contracts terminated. Supply chain and third-party risk continues to be a top cybersecurity threat vector, and DFIN’s robust processes continue to oversee and identify cybersecurity risks associated with the Company’s use of third-party service providers. The Company believes that its regular assessments and due diligence help mitigate potential vulnerabilities relating to these relationships.
DFIN’s initiatives and internal goals incorporate cybersecurity, including cyber risk requirements and cyber risk analysis. To deliver upon regulatory, client and Company cybersecurity objectives, the Company made investments to support processes, architectures and system operations models which specifically address cyber risk, including but not limited to threat detection and response capabilities, end point detection, incident response partnerships and other services provided by managed security service providers. The Company leverages cybersecurity technologies designed to ensure security of client, employee and business confidential data. Minimization of cybersecurity risk is also a part of DFIN’s overall business strategy and is further evidenced by programmatic endeavors such as adopting a Zero Trust Architecture wherein all users, systems, applications and networks are deemed untrusted and must be verified. Separately, part of DFIN’s corporate strategy includes maintaining adequate cybersecurity insurance. During the renewal process underwriters evaluate all aspects of DFIN’s cybersecurity posture, providing another annual evaluation of the Company’s cyber risk management.
Risks from cybersecurity threats, including those described in Part I, Item 1A. Risk Factors, factor into many facets of DFIN’s operations and have a direct influence on business strategy. For example, cybersecurity risk considerations may be factored into how DFIN’s products are designed and technology is selected. Cybersecurity risk also informs how the Company educates and trains its employees. In 2023, the Company conducted monthly simulations to train employees to detect and respond to various cyber attack vectors like phishing, vishing and smishing attempts and provides enhanced training to employees who fail a simulated cyber attack. DFIN also conducted quarterly IT training on topics such as risk detection and data handling and provided targeted cybersecurity threat awareness and training to executives during 2023. The Company conducts Incident Response tabletop exercises throughout the year at different levels of the organization, including the executive team. These incident response plans and training initiatives are regularly evaluated to adapt to evolving cyber threats and awareness. The Company’s goal is to create an ethos of “security first” and “security by design” and to have a culture (and accountability) that security is the responsibility of every DFIN employee.
No material cybersecurity incident has been identified nor materially affected the Company’s business strategy, results of operations, or financial condition during the periods covered by the Annual Report. The Company’s goal is to continually assess potential incidents, enhance protocols, expand cyber risk capabilities to mitigate future risks and safeguard DFIN’s intellectual property, operations and client data.
DFIN’s Board and senior management are engaged in managing and overseeing the Company’s cyber risks. Internal Audit periodically reviews enterprise risk management topics as well as the effectiveness of information security controls and other procedures and reports significant findings to executive management and either the Board or the Audit Committee. The Company’s Chief Information Security Officer (“CISO”) has over 29 years of cybersecurity experience overseeing enterprise cybersecurity risk management and compliance programs and has responsibility for assessing and managing cybersecurity risks. The CISO reports to the Chief Information Officer and leads multiple cybersecurity functions that consist of Cyber Defense and Threat Intelligence, Application Security, Network Security, Identity Governance Administration and IT Governance as well as Risk and Compliance functions. As the front line of defense against cybersecurity risks, these functions employ several tools, processes and procedures to detect attempted cyber attacks, prevent cyber threats and monitor cyber risks. The functions are also engaged in incident response should incidents occur and are accountable for remediating cyber threats, if manifested.
24
The Board maintains oversight of risk from cybersecurity threats and is regularly briefed regarding emerging cyber risks, mitigation strategies and incident response protocols directly from the CISO. The Board includes at least one cybersecurity subject matter expert. The CISO periodically engages with the Board in an executive session to provide updates related to threat landscapes, security initiatives and other cybersecurity awareness within DFIN. The Board participates in tabletop exercises to better understand the Company’s incident response planning and the Company maintains processes and procedures so that material risks or events are escalated and addressed appropriately.