ROLLINS INC - (ROL)
10-K Filing Date: February 15, 2024
Item 1.C Cybersecurity
The Company has security incident response policies and procedures for identifying, assessing, and managing material risks arising from cybersecurity incidents, including those arising from third-party service providers. The Company’s Chief Information Security Officer (“CISO”), who has 30 years of experience in information technology and information security and has several industry certifications such as CISSP, CCSP, CISM, CRISC, and CIPP, is primarily responsible for managing cybersecurity risks. The CISO assesses cybersecurity incidents and classifies them by severity level in accordance with the Company’s Security Incident Guidelines, which determine how each cybersecurity incident is managed and communicated. The Company uses both internal and external resources to assess risk and manage its IT and 24x7 cybersecurity operations, including managed service providers who assist in the support of key business systems. The Company may also periodically engage external consultants to assist with cybersecurity incident management, particularly where advanced or specialized expertise may be required. The Company’s Incident Response and Breach Notification Policy outlines the procedures that the Company follows for evaluation and recovery from an incident, including containment of the affected systems, to restore our systems to normal operations. To date, the Company has not had a cybersecurity event that materially impacted or is reasonably likely to materially affect its business strategy, results of operations, financial condition, or the security of its proprietary data.
The Audit Committee monitors the cybersecurity risk management and cyber control functions, including external security audits, and receives periodic updates from experienced senior management knowledgeable about assessing and managing cyber risks, including, as appropriate, updates on the prevention, detection, mitigation, and remediation of cyber incidents.
Cybersecurity incidents that significantly impact the confidentiality, integrity, or availability of Company data or the reliability of the Company system or network are reported to certain members of the Company’s Executive Leadership Team, including the Chief Executive Officer, Chief Financial Officer, Chief Information and Administration Officer, and General Counsel, for assessment of the materiality of the incident, which will be made using both quantitative and qualitative analyses to determine an incident’s immediate and reasonably likely future impacts. Such cybersecurity incidents are also reported to the Audit Committee. Cybersecurity incidents that moderately impact the confidentiality, integrity, or availability of Company data or the reliability of the Company systems or networks are reported to the Security Incident Response Team, for assessment of the materiality of the incident.
Our privacy compliance and digital risk management initiatives focus on the threats and risks to enterprise information and the underlying IT systems processing such information as part of the implementation of business processes. We have also implemented policies and procedures for the assessment, identification, and management of material risks from cybersecurity threats, including internal training, system controls, and monitoring and audit processes to protect the Company from internal and external vulnerabilities and to comply with consumer privacy laws in the areas in which we operate. Further, we limit retention of certain data, encrypt certain data and otherwise protect information to comply with consumer privacy laws in the areas in which we operate. The Company also has a cross-functional group of representatives from several departments that comprise the Cybersecurity and Privacy Committee, which meets and discusses information at least quarterly related to cybersecurity and privacy compliance at the Company, including training, policies, and trends. We also rely on, among other things, commercially available third parties including vendors, cybersecurity protection systems, software, tools and monitoring to provide security for processing, transmission and storage of protected information and data. The systems currently used for transmission and approval of payment card transactions, and the technology utilized in payment cards themselves, all of which can put payment card data at risk, meet standards set by the payment card industry.
The Company has a global cybersecurity training program that requires all employees with access to the Company networks to participate in regular and mandatory training on how to be aware of, and help defend against, cybersecurity risks. Also, the Company regularly tests the efficacy of its training efforts as well as its systems to assess vulnerabilities to cybersecurity risks, including tabletop incident response exercises.
Annually the Company conducts an Enterprise Risk Assessment during which management identifies and quantifies risks, including cybersecurity risks, that could enhance or impede the Company’s ability to achieve current or future strategic objectives. The conclusions of the annual Enterprise Risk Assessment are shared with the Audit Committee. The CISO also reviews with the Audit Committee the strategy, priorities, and goals of the cybersecurity program.
19