Grand Canyon Education, Inc. - (LOPE)
10-K Filing Date: February 13, 2024
Like all companies that utilize technology, we are subject to threats of breaches of our technology systems. To mitigate the threat to our business, we take a comprehensive approach to cybersecurity risk management. Our Board and our management actively oversee our risk management program, including the management of cybersecurity risks. We have established policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats, including those discussed in our Risk Factors. We have devoted significant financial and personnel resources to implement and maintain security measures to meet regulatory requirements and stakeholder expectations, and we intend to continue to make significant investments to maintain the security of our data and cybersecurity infrastructure. While there can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective, we believe that the Company’s sustained investment in people and technologies have contributed to a culture of continuous improvement that has put the Company in a position to protect against potential compromises and we do not believe that risks from prior cybersecurity threats, including as a result of any previous cybersecurity incident, have materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that past or future attacks will not materially affect us, including our business strategy, results of operations, or financial condition.
Risk Management and Strategy
At a high level, the key objectives for the Company’s cybersecurity program are to implement and sustain effective security controls to stop intrusion attempts and to maintain and continuously improve its ability to respond to
51
attacks and incidents. Success in achieving these objectives relies upon using quality technology solutions, cultivating and maintaining a team of skilled professionals, and improving processes continuously. Our cybersecurity program in particular focuses on the following key areas:
Risk Assessment: At least annually, we conduct a cybersecurity risk assessment that takes into account information from internal stakeholders, known information security vulnerabilities, and information from external sources, including reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants. The results of the assessment are used to develop initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader Company-wide risk assessment that are then reported to our Board, Audit Committee and members of management.
Technical Safeguards: We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience.
Incident Response and Recovery Planning: We have established comprehensive incident response and recovery plans that guide our response in the event of a cybersecurity incident. We continuously test and evaluate the effectiveness of those plans.
Vendor Risk Management: We have implemented a robust vendor risk management program, which is designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers in response to detailed questionnaires and meetings as well as information from third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate. Contract language, purchasing decisions, and/or technology implementation strategies are frequently adjusted as a result of this process.
Education and Awareness: Our policies require each of our employees to contribute to our data security efforts. We regularly remind employees of the importance of handling and protecting data, including through annual privacy and security training to enhance employee awareness of how to detect and respond to cybersecurity threats. In this regard, the Company has implemented policies and procedures for all employees including: (i) information security/cybersecurity policies, which are internally available for all employees, (ii) information security/cybersecurity awareness training; (iii) a clear escalation process which employees can follow in the event an employee notices something suspicious; and (iv) ensuring that information security/cybersecurity is part of the employee performance evaluation and/or disciplinary process.
Governance Disclosure
Board Oversight: The Board, in coordination with the Audit Committee of the Board, has responsibility for managing the overall risk strategy for the Company, including cyber security risk. They receive regular reports from management about the prevention, detection, mitigation, and remediation of cybersecurity incidents, including material security risks and information security vulnerabilities. Our Audit Committee directly oversees our cybersecurity program. The Audit Committee receives regular updates from management on cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, external auditor feedback, control maturity assessments, and relevant internal and industry cybersecurity incidents.
Management’s Role: The Company employs a dedicated Chief Information Security Officer (“CISO”) who has primary responsibility for assessing and managing material cybersecurity risks. Our CISO reports to the Audit Committee of the Board quarterly, to provide updates on any new developments and about the effectiveness of the security program. On behalf of the Audit Committee, the CISO administers a robust risk management program carried out by the Governance, Risk, and Compliance (GRC) team, which is integrated as part of the procurement process when making technology purchases, and also makes recommendations on security policies and procedures, security requirements, and risk mitigation strategies. Our CISO is supported by a highly skilled team of information security
52
professionals, many of whom have advanced certifications and/or graduate degrees relevant to their job requirements. Our team has participated in multiple national and international cyber security exercises, including Cyber Storm, the national training exercise run by the US Department of Homeland Security in conjunction the US Cybersecurity and Infrastructure Security Agency. Our CISO works closely with our Chief Risk Officer to provide risk reporting and ensure security and compliance.
Chief Information Security Officer: Our CISO has led the Company’s security team for almost seven years, overseeing the implementation of multiple new technologies and processes to help protect the organization. Prior to joining the Company, he served as a Subject Mater Expert for Threat Prevention at a cyber security firm, consulted for local government, held other security and technology roles in higher education, and served in the US Navy. He is also a co-author/contributor for the joint book project, Understanding New Security Threats published by Routledge in 2019, and has published articles and made conference keynote and podcast appearances over the years on cybersecurity topics.
For more information regarding the risks we face from cybersecurity threats, please see “Risk Factors.”