INTERPUBLIC GROUP OF COMPANIES, INC. - (IPG)
10-K Filing Date: February 20, 2024
Item 1C.Cybersecurity
Risk Management and Strategy
We rely extensively and increasingly on information technologies and infrastructure to manage our business (including the digital storage of marketing strategies and client information), develop new business opportunities and digital products, and process business transactions. Digital services and products, advertising and marketing technology, e‐commerce services, data management and analytics and digital brand experience constitute a key part of our client offerings. Our business operations therefore depend on the availability, integrity and secure processing, storage, and transmission of confidential and sensitive information, including personal information, digitally and through interconnected systems, including those of our vendors, service providers and other third parties.
Consequently, we maintain comprehensive policies and procedures designed to prevent and mitigate the risks posed by cybersecurity threats and incidents and to identify, analyze, address, mitigate and remediate those incidents that do occur. As part of our program:
•we regularly review and update at least annually our standard policies and procedures related to information technology and analyze those policies against the standards and controls that we believe are most relevant to our Company set by organizations such as the National Institute of Standards and Technology (NIST) cybersecurity framework and the International Organization for Standardization (ISO);
•we maintain a dedicated cybersecurity team under the direction of our Chief Information Officer (CIO), including our Chief Information Security Officer (CISO), each of whom has expertise related to data and network security, data governance and risk management;
•we regularly test our internal IT controls;
•we regularly conduct internal as well as third-party attack and penetration tests;
•we maintain, and we require our third-party service providers to maintain, security controls designed to ensure the confidentiality, integrity, and availability of our systems and the confidential and sensitive information we maintain and process, or which is processed on our behalf;
•all employees are required to complete periodic trainings that cover security and privacy best practices and company policies; and
•we have prepared and regularly review our business continuity, disaster recovery and other back-up plans, including as they relate to cybersecurity incidents.
We also work with third-party cybersecurity and data privacy professionals as part of the design and implementation of our program, including our accountants, independent assessors (for example, for penetration testing) of our cybersecurity program, external legal counsel and other consultants.
We have an incident reporting and escalation process designed to detect and analyze cyber incidents as they occur to determine appropriate response action and reporting, including the materiality of any such incidents to our financial condition and operations. This process includes:
•continual monitoring of our systems and logs by both internal and outsourced staff;
•immediate escalation to an incident reporting call and review by our CIO of certain signals, including evidence of external threat actors, ransomware attacks, data exfiltration, identity compromise or unusual requests from management or certain departments;
•if deemed appropriate, reporting by our CIO to the Executive Risk Committee, comprised of multi-disciplinary senior leaders across the organization, including representatives of our accounting, human resources, finance, information technology and legal functions, and consultation with internal and external legal counsel, for further review and determination of the scope and materiality of the incident or incidents, including whether public disclosure is appropriate or required; and
•informing our Board of Directors (the “Board”) and the Audit Committee of the Board of significant or material cybersecurity incidents, as appropriate.
All incidents are documented and recorded and cataloged for further review by the CISO team.
16
While we, our clients and our vendors are regularly exposed to malicious technology-related events and threats, none of these threats or incidents, either individually or in the aggregate of related occurrences, have materially affected the Company in the period covered by this report. In determining materiality, cybersecurity incidents are reviewed not only for potential financial impacts, which could include potential legal and regulatory penalties, stolen assets or funds, system damage, forensic and remediation costs, lost client revenue or litigation costs, but also the breadth and sensitivity of data exposure, data exfiltration, impacts on the ability to operate our business or provide our services, client dissatisfaction, and loss of investor confidence. See Item 1A, Risk Factors, for more information on the cybersecurity threats facing our Company.
Governance
Our Board actively oversees Interpublic’s risk management activities both directly and through its committees and considers various risk topics throughout the year, including cybersecurity and information security risk management and controls. As part of its oversight function, the Board oversees the Company’s risk assessment and risk management policies and performs an annual review and assessment of the primary operational and regulatory risks facing Interpublic, their relative magnitude and management’s plan for mitigating these risks. At least annually, our CIO and CISO report to the full Board with a comprehensive report addressing a broad range of topics, including updates on strategy and investments, significant cybersecurity incidents that have occurred since the last update, the status of projects and initiatives to update our cybersecurity policies and practices, industry trends, and ongoing efforts to prevent, detect, and respond to internal and external critical threats.
The Audit Committee oversees the design and operation of the Company’s enterprise risk management program, including, in conjunction with the Board, oversight of its cybersecurity framework and the strategy, policies and practices implemented by the organization to appropriately mitigate such risks. Such oversight includes discussions with management and the Company’s internal auditors on the magnitude and steps taken to address and mitigate any such risks. As a regular part of its meetings, risks related to cybersecurity are reviewed by the committee as part of the internal and external audit reports to the committee.
Interpublic’s senior management is responsible for assessing and managing the Company’s various exposures to risk, including those related to cybersecurity, on a day-to-day basis, including the identification of risks through a robust enterprise risk management framework and the creation of appropriate risk management programs and policies to address such risks. Our CIO and CISO have primary responsibility for managing our cybersecurity program and efforts. They work closely with key stakeholders, including internal committees such as the information security steering committee, peer institutions, and industry groups, in order to manage cybersecurity and information security risk. Our internal audit team is responsible for the testing and audit of our information-technology internal controls. In addition, leaders from our communications, finance, legal and risk teams participate in incident response training, including tabletop exercises, designed to enhance our ability to respond to cybersecurity incidents quickly, efficiently and with the appropriate degree of urgency. More generally, our Executive Risk Committee has primary responsibility for overseeing the Company’s risk framework and the material risks facing our Company.
We believe our information technology team to be well-qualified in this area. These qualifications include collective decades of professional experience in the field, in both private enterprise and government, and training and certification such as Digital Directors Network, Qualified Technical Expert training and certification, National Association of Corporate Directors (NACD) certification, Certified Information Systems Security Professional (CISSP) certification, ISO 27001 certification, and BCS certification, as well as recent participation in IT and cybersecurity programs organized by leading educational institutions with expertise in the field.