QUINSTREET, INC - (QNST)

10-K Filing Date: August 21, 2024
Item 1C.Cybersecurity

Risk Management and Strategy

The Company’s cybersecurity program is part of its overall risk management framework. The cybersecurity risk program includes a risk-based approach to identifying, assessing, and addressing cybersecurity threats that could impact our data, our networks, or the information provided to us by consumers and counterparties.

1.
Cybersecurity Risk Management Program – The Company’s cybersecurity risk management program includes the following activities: 
Regular Security Committee meetings where the head of Information Security briefs the Security Committee on cybersecurity threats and responses, strategies and initiatives relating to cybersecurity, and roadmaps for improving the Company’s cybersecurity. 
Training employees on cybersecurity upon hire, and at least annually, with more detailed training provided to those employees that have greater access to data and systems.  
Over two dozen Information Security policies that focus on specific aspects of our cybersecurity risk management (e.g., Vendor Management).

The Company’s Information Security team is responsible for the Company’s cybersecurity risk management program. Their Information Security policies contain processes and templates which are intended to set standards, assign specific roles and responsibilities with respect to our information security environment, and categorize threats and map them to responses as required by law and contract.

2.
Third Party Support – In addition to the internal tests and recurring audits our Information Security team performs on our systems, the Company also engages external consultants and auditors.  For example, the Company engages third party auditors to obtain SOC 2 Type II Certification. Furthermore, the Company regularly works with third party consultants to perform penetration tests. These third-party engagements supplement internal tests and audits as detailed in our Information Security policies.  
3.
Training and Screening of Employees – The Company provides all Information Security policies to new hires. In addition, new hires are required to complete security awareness training which contains cybersecurity principles. Employees must also complete annual security awareness training, with additional and dedicated cybersecurity training for employees with access to more data and systems. As a part of hiring employees and contractors, background checks are performed that involve varying levels of depth depending on the employee’s or contractor’s level of data and system access.
4.
Third Party and Vendor Management – The Company’s Information Security team has established policies and processes to identify and oversee cybersecurity risks associated with using third party service providers and vendors. These include the following elements:
Access Control: The principle of least privilege is applied to manage user’s access of Company’s resources. User access is reviewed at least quarterly.
Vendor Management: One of the Company’s Information Security policies is its Vendor Management Policy. This policy includes conditions for vendor evaluation, how the Company performs its evaluation, and steps for monitoring thereafter.
Privacy Impact Assessments: The Company’s employees are trained to submit a Privacy Impact Assessment for review when there may be new access by a third-party to certain data or the Company may share information in a new way. The Privacy Impact Assessment is reviewed by the Information Security team to assess whether the proposed practices are manageable within the Company’s cybersecurity environment.

34

 

Impact of Cybersecurity Risks on Business Strategy, Results of Operations or Financial Condition

Substantially all of the Company’s business is conducted online. Accordingly, there is a risk that a cybersecurity incident that impacts our ability to conduct business online (including any loss of confidence by consumers and counterparties in our information security practices or capabilities) could have a material adverse impact on our business strategy, results of operations or financial condition. The Company’s approach to the management and mitigation of cybersecurity risks reflects the online nature of our business. To date, we have not experienced any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. As part of the Company’s overall risk mitigation strategy, we maintain cyber liability insurance coverage. Such coverage, however, may not be sufficient to cover us against related claims. For additional information, see “Risks Related to our Business and Industry,” in Item 1A, “Risk Factors” in this Annual Report. 

Cybersecurity Governance

Pursuant to the Audit Committee Charter, the Audit Committee reviews management's assessments of, and plans with respect to, the Company’s cybersecurity and other enterprise risks. The Audit Committee typically receives updates from a Security Committee member quarterly with respect to Information Security team activities.

The Company’s Information Security team is responsible for identifying, assessing, and mitigating cybersecurity risks. The Information Security team reports to the head of Information Technology, who reports to the Chief Technical Officer who reports to the Chief Executive Officer. The Information Security team also briefs the Security Committee (which consists of the Chief Technical Officer, CEO, CFO and Chief Legal Officer) regularly about the cyber threat landscape, their plans to mitigate cybersecurity risks and their responses to cybersecurity incidents.

Back SEC Filing