GARTNER INC - (IT)

10-K Filing Date: February 15, 2024
ITEM 1C. CYBERSECURITY.

We have implemented a layered cybersecurity program to assess, identify, and manage risks from cybersecurity threats that may result in material adverse effects on the confidentiality, integrity, and availability of our information systems, networks, and data systems. Our cybersecurity program is generally aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Information Security Team and Governance.

The Audit Committee has the primary responsibility of assisting our Board of Directors in overseeing risk related to cybersecurity matters. The Board and/or the Audit Committee receive quarterly cybersecurity-related reports from our Chief Information Officer (CIO), which may address a wide range of topics, such as: cybersecurity strategy, the threat environment, the status of ongoing information security program initiatives, and information security program metrics. Additionally, we have documented protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated within the Company and, where appropriate, reported to the Board and/or the Audit Committee.

At the management level, our CIO, who reports directly to the CEO, has over 20 years of experience serving in IT management, software development, and technology-based roles across a variety of industries, including publishing, media and entertainment, and financial and insurance services. Our Chief Information Security Officer (CISO), who reports directly the CIO, has extensive cybersecurity knowledge and skills gained from over 15 years of work experience serving in security roles for the Company and a variety of financial service firms. Our CISO is responsible for understanding, managing, and communicating cybersecurity risk internally to our management, and works closely with Legal to oversee compliance with legal, regulatory, and contractual security requirements.

Our CISO heads the Information Security Team, which is responsible for implementing, monitoring, and maintaining cybersecurity and data protection practices across our business. The Information Security Team covers a wide range of cyber and information security responsibilities. Our CISO also receives reports on cybersecurity threats on an ongoing basis and regularly reviews risk management measures implemented by the Company to identify and mitigate cybersecurity risks. In addition to our internal capabilities, we also engage external consultants, legal counsel, or other third-party advisors to assist with assessing, identifying, and managing cybersecurity risks.

Risk Management and Strategy.

16


Cybersecurity risk management, which involves resource commitments and management attention, is overseen both as a critical component of our overall risk management program and as a standalone program. We have implemented a risk-based, cross-functional approach to identifying, preventing, and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents.

Our cybersecurity program uses a layered strategy, relying on technology and human processes to safeguard our client’s data at all layers. We embed controls within our business processes and technology development, starting with design and engineering and extending to operations. Our defense-in-depth strategy utilizes numerous layers of security controls, processes, and procedures across our information systems and networks, including but not limited to, vulnerability management, multi-factor authentication (MFA), identity access management (IAM), endpoint security, mobile security, application security, encryption, network security, web security, and event monitoring and logging. Aspects of our program undergo several independent third-party audits and reviews on a regular basis.

We maintain a written Information Security Policy, which establishes the foundational components of our cybersecurity program and our high-level security responsibilities over all technologies, facilities and data. When engaging service providers and third-party vendors, we perform due diligence to assess whether these providers have appropriate privacy and security controls, and we generally require these providers to implement appropriate protective measures, and to use confidential information solely for the purposes of performing their services.

Additionally, we have adopted a documented Incident Response Plan that applies in the event of a cybersecurity incident to provide a standardized framework for response. In general, our incident response process follows the NIST 800-61 framework and focuses on four phases: preparation; detection and analysis; containment, eradication and recovery; and post-incident remediation.

We have implemented a security training and awareness program for all Gartner employees and third-party contractors. Employees receive security training in connection with onboarding as well as annual awareness and training activities throughout their employment. Further, Gartner carries cybersecurity insurance covering the company and its subsidiaries.

Material Cybersecurity Risks, Threats & Incidents.

While we have not experienced any material cybersecurity threats or incidents, there can be no guarantee that we will not be the subject of future successful attacks, threats or incidents. Additional information on cybersecurity risks we face can be found in Part I, Item 1A “Risk Factors” of this Report under the heading Strategic and Operational RisksWe are exposed to risks related to cybersecurity,” which should be read in conjunction with the foregoing information.