ROBERT HALF INC. - (RHI)
10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity
As part of the Company’s broader information security program, the cybersecurity program includes a defense-in-depth model that utilizes a variety of techniques and tools for protecting against, detecting, responding to and recovering from cybersecurity incidents. The Company’s cybersecurity program is designed to prioritize detection, analysis and response to known and anticipated cyber threats and effective management of cyber risks and resilience against cybersecurity incidents. The Company’s program leverages portions of several industry and regulatory frameworks, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”), NIST 800-53, International Organization for Standardization Information Security Management Systems (“ISO 27001”), the CIS Critical Security Controls, the System and Organization Controls 2 Type 2 (“SOC2 Type 2”), the Payment Card Industry Standards (“PCI”) and the Health Insurance Portability and Accountability Act (“HIPAA”).
Cybersecurity Governance
The Company’s cybersecurity strategy and risk management is overseen by the Board of the Directors (the “Board”) and the Audit Committee and implemented and managed by the Company’s Enterprise Information Security Steering Committee, a cross-functional team of senior executives representing business functions across Robert Half and chaired by the Chief Information Security Officer (“CISO”). The CISO oversees the Enterprise Information Security team (“EIS”).
Board Governance
The Board views cybersecurity as part of the Company’s overall enterprise risk management function, which the Board oversees. The Board takes cybersecurity into account as part of the Company’s business strategy, financial planning and capital allocation.
The Board oversees the Company’s information security program, which includes oversight of the cybersecurity program and management of cybersecurity risks. The Board receives annual updates from the Company’s CISO, and/or members of the executive leadership team. Such reports typically address, among other things, the Company’s cybersecurity strategy, initiatives, key security metrics, business response plans and the evolving cyber threat landscape and a detailed threat assessment relating to information technology risks. Notice of potential material cybersecurity incidents to the Audit Committee Chair and the Board is provided for in the Cybersecurity Incident Response Plan (the “CIRP”) and the Cybersecurity Incident Disclosure Control Procedure (the “Cyber Disclosure Procedure”).
Management Governance
The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by the Enterprise Information Security Steering Committee, led by the CISO. The CISO leverages his decades of experience building and leading cybersecurity programs and teams. The CISO has over 20 years of experience as a Chief Information Security Officer in multiple industries and has received Certified Information Systems Security Professional (“CISSP”) and Certification in Risk Management Assurance (“CRMA”) certifications. The CISO is responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation and response to cybersecurity threats and incidents and is regularly engaged to determine whether the cybersecurity program is functioning effectively in the face of evolving cybersecurity threats.
Members of the Enterprise Information Security Steering Committee also include the Global Data Privacy Officer, Chief Technology Officer, Chief Administrative Officer, the General Counsel, and the Global Risk Officer of Protiviti.
13
Specifically, the Enterprise Information Security Steering Committee typically meets at least four times per year, or with greater frequency as necessary, to:
•review with management the Company’s cybersecurity threat landscape, risks and data security programs, and the Company’s management and mitigation of cybersecurity risks and incidents;
•review with management the Company’s compliance with applicable information security and data protection laws and industry standards;
•discuss with management the Company’s cybersecurity, technology and information systems policies, including the guidelines and policies established by the Company to assess, monitor and mitigate the Company’s significant cybersecurity, technology and information systems related risk exposures; and
•review and provide oversight on the Company’s crisis preparedness with respect to cybersecurity, including cybersecurity incident response preparedness, communication plans and business continuity capabilities.
Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats
The Enterprise Information Security Steering Committee utilizes a CIRP to: (1) prepare for and protect against cybersecurity incidents; (2) detect and analyze cybersecurity incidents; and (3) contain, eradicate and appropriately report on cybersecurity events. In the event of a cybersecurity incident, the CIRP provides a framework to coordinate the response. The CIRP also addresses escalation protocols to senior management with respect to disclosure determinations related to a cybersecurity incident and provides for Executive Team briefings as appropriate. If the CIRP’s initial investigation of the facts of a cybersecurity incident indicates the need for escalation for potential disclosure, the process in the Cyber Disclosure Procedure will be utilized,
The Cyber Disclosure Procedure establishes a flexible and context dependent process for determining whether a cybersecurity incident (“Incident”) constitutes a material issue pursuant to the rules and regulations of the Securities and Exchange Commission (“SEC”). A committee of senior management personnel is established to assess potential cybersecurity Incidents. Standing members of the Cyber Disclosure Committee (“CDC”) include President and Chief Executive Officer, Chief Financial Officer, General Counsel, Global Privacy Officer and Chief Technology Officer.
In considering the materiality of an Incident the CDC may consider the nature, extent and potential magnitude of the risks to the Company related to the Incident, particularly as it may relate to any compromised information or the business and scope of Company operations. If the CDC determines the Board should be notified, a meeting will be called with the Executive Committee of the Board, the Audit Committee Chair, the Board’s cybersecurity expert or any combination or subset of the foregoing.
EIS conducts annual security reviews of critical vendors. Vulnerabilities in third-party systems and software are monitored and managed through the Security Insights Program vulnerability management program. This program aggregates findings from the vulnerability detection and secure configuration management tools within a dashboard, which allows EIS personnel to focus on high priority matters.
EIS employs a variety of measures to prepare for and protect against, detect, contain and eradicate cybersecurity incidents and threats. The preparatory and protective measures EIS has in place include, but are not limited to, password protection, multi-factor authentication, internal and external penetration testing, cybersecurity assessments, industry benchmarking, and annual cybersecurity awareness trainings for employees as well as social engineering awareness efforts. To detect and prevent cybersecurity incidents, the cybersecurity program uses automated event-detection technology monitored by the cyber defense team, notifications from employees, vendors or service providers and other tools. The Company has relationships with a number of third-party service providers to assist with cybersecurity incident response, containment and remediation efforts, including a forensic investigation firm, insurance providers and various law firms. While the Company maintains a robust cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, the Company may not be able to detect threats in a timely manner or anticipate and implement adequate security measures. For additional information, see “Item 1A Risks Related to the Company’s Information Technology, Cybersecurity and Data Protection”.
Cybersecurity Risks
The Company is currently not aware of any material cybersecurity incidents or threats that have impacted the Company or its business, financial condition, results of operations, employees, or customers in the past fiscal year. However, the Company and its customers routinely face risks of cybersecurity incidents, wholly or partially beyond the Company’s control, as the Company relies heavily on information technology systems. Although the Company makes efforts to maintain the security and integrity of the Company’s information technology systems, these systems and the proprietary, confidential internal and customer information that resides on or is transmitted through them, are subject to the risk of a cybersecurity incident or disruption, and there can be no assurance that the Company’s security efforts and measures and those of the Company’s third-
14
party providers will prevent breakdowns or incidents affecting the Company’s or the Company’s third-party providers’ databases or systems that could adversely affect the Company’s business. For a discussion of these risks, see “Item 1A Risks Related to the Company’s Information Technology, Cybersecurity and Data Protection.”