ManpowerGroup Inc. - (MAN)

10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity

We have an enterprise-wide information security program designed to identify, protect, detect, and respond to and manage reasonably foreseeable cybersecurity risks and threats. To protect our information systems from cybersecurity threats, we use various security tools that help prevent, detect, escalate, investigate, and remediate identified risks and security incidents in a timely manner. We also maintain a third-party security program to identify, prioritize, assess, mitigate, and remediate third-party risks; however, we often rely on the third parties we use to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful.

We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We use a widely adopted risk quantification model to identify, measure and prioritize cybersecurity and technology risks and develop related security controls and safeguards. We conduct regular reviews and tests of our information security controls and leverage audits by our internal audit team, tabletop exercises, penetration and vulnerability testing, red team exercises, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. We also engage an independent industry recognized security service provider to conduct an annual red team assessment of our security controls, as well as third-party penetration testing of our information systems. The results of these assessments are reported to senior management and the Audit Committee of the Board of Directors.

Our systems periodically experience directed attacks intended to lead to interruptions and delays in our operations and the services we provide to clients as well as loss, misuse or theft of personal information (candidates, associates, vendors, clients and employees) and other data, confidential information or intellectual property, and we have experienced data exposures in the past. However, to date these incidents have not had a material impact on our services, information systems or business. Any significant disruption to our services or access to our systems could result in a loss of clients and adversely affect our business and results of operation. Further, a penetration of our information systems or a third-party’s information systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputation risk, which could have a negative effect on our business, financial condition, and results of operations. See Item 1A of Part I, “Risk Factors,” under the heading “We could incur liabilities or suffer reputational damage from a cyberattack or improper disclosure or loss of personal or confidential data, and our use of data is subject to complex and ever-changing privacy and cybersecurity legal requirements that could negatively impact our business or subject us to claims and/or fines for non-compliance,” which should be read in conjunction with the information above.

The Chief Information Security Officer (CISO) leads our global information security organization responsible for overseeing the Company’s information security program. Our CISO has over 25 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies. Team members who support our information security program have relevant educational and industry experience, including holding similar positions at various technology companies. The global information security organization provides regular reports to senior management on various cybersecurity threats, assessments and findings.

The Audit Committee of the Board of Directors oversees our annual enterprise risk assessment, where we assess key risks within the company, including security and technology risks and cybersecurity threats. The Audit Committee of the Board of Directors oversees our cybersecurity risk and regularly receives reports from our CISO on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance.

28