KELLY SERVICES INC - (KELYA)

10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY.

Cybersecurity Risk Management and Strategy

Management of material risks from cybersecurity threats for Kelly, Kelly subsidiaries, third-party suppliers and vendors occurs as part of the Company’s Enterprise Risk Management (ERM) program. The Company’s ERM program provides ongoing risk identification, oversight, guidance, and mitigation on various risks, including cybersecurity. The Company has a Chief Information Security Officer (CISO) responsible for the evaluation and mitigation of cybersecurity risks in coordination with the Company’s information technology, law, risk and insurance, and enterprise risk and compliance groups. These groups work in tandem on cybersecurity and privacy governance, and oversee the Company’s approach to information security, privacy, data governance, and IT infrastructure, which includes internal monitoring to proactively identify potential security threats, maintenance of access controls, asset management, response and recovery activities, and training and awareness programs.

The Company maintains technical and organizational safeguards, including employee training, incident response capability reviews and exercises, cybersecurity insurance and business continuity mechanisms to protect the Company’s assets and operations. In addition to our internal information security team, we rely on services from various third parties, including a Managed Security Service Provider (MSSP) and services from an IT solutions organization. To evaluate the effectiveness of these internal and external efforts, Kelly adopted the National Institute of Standards and Technology Cybersecurity framework (NIST CFS) and is assessed against NIST CFS by a third-party firm at least annually. We use the assessment, reviews and exercises to ensure that the Company’s information security program and processes for managing material cybersecurity risks are responsive to changes in the threat environment.

15



We rely upon multiple information technology systems and networks, some of which are web-based or managed by third parties, to process, transmit, and store electronic information and to manage or support a variety of critical business processes and activities. We actively review the risks associated with all third-party service providers at the inception of our relationship with them and on an ongoing basis as part of our information security program and enterprise risk management third-party risk assessment process. These processes include architecture reviews and contractual clauses related to data protection and compliance, SSAE audits and reviews of vendor SOC 1 and SOC 2 Type II reports for critical vendors and ongoing monitoring and reporting of vendor security by independent third parties.

Cybersecurity Threats

Although we have not experienced a cybersecurity incident that materially affected our results of operations or financial condition, we periodically experience cyberattacks, which may include the use or attempted use of malware, ransomware, computer viruses, phishing, social engineering schemes and other means of attempted disruption or unauthorized access. Additionally, the rapid pace of change in information security and cybersecurity threats could result in cyberattacks with little or no notice. Our relationships with third parties, including suppliers we manage, customers, and vendors to whom we outsource or rely on for business processes or software, creates potential avenues for malicious actors to initiate a supply chain attack. Even in instances where we are not the direct target of a malicious actor, we could be exposed to risk due to our relationships and business processes with these third parties.

Despite security measures, unforeseen exploits create an inherent risk of cyberattacks that could materially affect our operations without notice. An event involving the destruction, modification, accidental or unauthorized release, or theft of sensitive information from systems related to our business, or an attack that results in damage to or unavailability of our key technology systems or those of critical vendors (e.g., ransomware), could result in damage to our reputation, fines, regulatory sanctions or interventions, contractual or financial liabilities, additional compliance and remediation costs, loss of employees or customers, loss of payment card network privileges, operational disruptions and other forms of costs, losses or reimbursements, any of which could materially adversely affect our operations or financial condition. Our cyber security and business continuity plans, and those of our third parties with whom we do business, may not be effective in anticipating, preventing, or effectively responding to all potential cyber risk exposures. Our insurance coverage may not be sufficient to cover all such costs or consequences, and there can be no assurance that any insurance that we now maintain will remain available under acceptable terms.

Governance

Our Board of Directors oversees consideration of strategic risks to the Company as well as managements actions to address and mitigate those risks and delegate oversight of specific risk topics to relevant board committees. The Company’s CISO, Chief Enterprise Risk and Privacy Officer, and Audit Committee Chair of the Company’s Board of Directors review the Company’s cybersecurity metrics on access controls, asset management, response and recovery activities, training and awareness programs, cybersecurity threats and certain incident information quarterly, and on an ad hoc basis when necessary, with each committee chair and other directors (including the CEO) of the Company’s Board of Directors, the Company’s chief people officer, chief financial officer and general counsel. The Chief Enterprise Risk and Privacy Officer holds similar quarterly reviews with the Company’s CEO and executive officers. During these reviews, topics include:

implementation and third-party evaluation of the Company’s cybersecurity program, including applicable policies, procedures, governance, and adopted risk management framework;
the impact of cybersecurity and privacy risks on the Company’s services, employees, customers, suppliers, vendors and the staffing industry; and
information on global regulatory changes and best practices.

In addition to the reports submitted quarterly by the Company’s Chief Risk Officer and CISO, the Vice President of Internal Audit independently assesses the Company’s risk management process and separately reports on the effectiveness of the Company’s risk identification, prioritization, and mitigation processes to the Audit Committee. All board members are kept apprised of its committees’ risk oversight activities through reports from the committee chairs presented at regular Board meetings. The Company utilizes a multi-layered approach to prevent and detect cyber threats and has standard operating procedures relating to the identification, incident response and notification and management escalations for security incidents. In line with those procedures, the Company activates an emergency management team (EMT), empowered to make decisions, and respond to critical events including cyber incident mitigation and remediation activities. EMT members for information security incidents would include the CISO, the CIO, and Chief Enterprise Risk and Privacy Officer, additional member from the information technology and ERM teams as well as representation from the General Counsel Office, Finance,
16



Communications and Business Operations as appropriate. While active, the EMT provides regular reports to the CEO, General Counsel and other members of the senior leadership team.

The Company’s Chief Information Security Officer is responsible for the assessment and management of material risks related to cybersecurity. The CISO reports directly to the Chief Information Officer (CIO) and has served in the CISO role since its creation in 2021 and in similar roles with the Company since 2011. The CISO has more than 30 years of experience in the information technology field, including more than 20 years of experience helping secure organizations in the professional services, manufacturing and US Intelligence/Department of Defense sectors. He holds a BS in Business/Information Systems. In addition, the Company’s Management Team and Cybersecurity and Privacy Governance Team is composed of individuals with collective decades of experience in information technology, data protection, threat response, emergency management, business continuity, and disaster recovery.