DHI GROUP, INC. - (DHX)
10-K Filing Date: February 08, 2024
Item 1C. Cybersecurity
Cybersecurity is at the foundation of the Company's values and the way it approaches its users, professionals, and customers. We face a number of external threats common to companies in the industries we serve, such as ransomware, denial-of-service, phishing, and social engineering. Our customers, suppliers, and professionals face similar threats, and a cybersecurity incident impacting the Company or any of these entities could materially adversely affect the performance of our businesses, our results of operations, and our cash flows.
We maintain cyber event related insurance but we have also instituted an information security structure and process to assess, identify, manage, and, if necessary, report cybersecurity risks. We maintain a cybersecurity incident response process and a tracking system for any incidents in an effort to ensure appropriate actions are taken. Any member of the Company can report a suspected incident and it will be investigated.
We have implemented data security standards in our architecture and system design techniques. Reviews and testing of our systems and subsystems are performed at regular intervals and are designed to ensure our capability to respond to cybersecurity incidents or threats. Our cybersecurity framework is based on the National Institute of Standards and Technology Cybersecurity Framework. In accordance with this framework, risks are analyzed for impact and probability to determine severity level, with classifications of critical, high, medium, or low risk. These processes have been integrated into our overall risk management system and processes and are part of our operating procedures, internal controls and information systems. In addition, we engage in an ongoing improvement process to enhance our cybersecurity posture.
Third parties also play a role in our cybersecurity. We engage third-party services to assist in the scanning and testing of our web properties and cloud infrastructure. We have a retainer with a cybersecurity response organization to immediately respond
29
and provide professional expertise and assistance if necessary. Our process is designed to provide any required notifications in case of a cyber event, including those to federal, state, and local authorities, as well as to our insurance providers and auditors.
We also utilize a supply chain risk management process to assess cybersecurity risks associated with third-party software providers. We perform third-party risk assessments to both identify and mitigate risks from third parties such as vendors, suppliers, and others associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers and potential fourth-party risks when handling and/or processing our employee, business or customer data. In addition to new vendor onboarding, we perform risk management during third-party cybersecurity compromise incidents to identify and mitigate risks to us from third-party incidents.
The Company maintains a Security Council that regularly meets to review current or potential threats. The Security Council's membership consists of the following: the Company's Chief Executive Officer, Chief Financial Officer, Chief Technology Officer, General Counsel, Vice President of Technology, Manager of Security, and Head of Internal Audit. We also employ a Security Department responsible for cybersecurity across the organizations. The individuals in this department are vetted for their experience and expertise before joining the team and maintain continued education and training each year using our enhanced learning program. This department's responsibilities include cyber security risk management, security operations, awareness training, incident response, industry awareness and reporting. The team assesses and maintains awareness of global cyber security threats by using several services and notifications from our vendors. The team then considers each of these threats as applied to our environment, process, operations, vendors and clients. The Security Council is led by the Chief Technology Officer, Vice President of Technology, and Manager of Security, each of whom have a depth of knowledge and experience in the cyber security space.
Our Board of Directors has ultimate oversight of cybersecurity risk, which it manages as part of our enterprise risk management program, while the Audit Committee is directly responsible for oversight of the Company's cybersecurity and is briefed by the Security Council on a quarterly basis. Members of the Audit Committee receive updates on a quarterly basis from senior management, including leaders from our Information Security, Product Security, Compliance and Legal teams regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs.
Although the risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition, such incidents could have a material adverse effect in the future as cyberattacks continue to increase in frequency and sophistication.
See Item 1A. Risk Factors “Capacity constraints, systems failures or breaches of our network security could materially and adversely affect our business. If we fail to manage our technical operations infrastructure, our existing customers may experience services outages, and our new customers may experience delays in the deployment of our solution.”