HARTE HANKS INC - (HHS)

10-K Filing Date: April 01, 2024
ITEM 1C. CYBERSECURITY
We rely on our technology infrastructure and information systems to interact with our clients, our employees, to sell our services, to utilize our data, to support and grow our client base, and to bill, collect, and make payments. Our technology infrastructure and information systems also support and form the foundation for our accounting and finance systems and form an integral part of our disclosure and accounting control environment. Our internally developed system and processes, as well as those systems and processes provided by third-party vendors that we contract with, may be susceptible to damage or interruption from cybersecurity threats, which include any unauthorized access to our information systems, and which may result in adverse effects on the confidentiality, integrity, or availability of such systems or the related information. Potential cybersecurity threats include terrorist or hacker attacks, the introduction of malicious computer viruses, ransomware, falsification of banking and other information, insider risk, or other security breaches. Such attacks have become more and more sophisticated over time, especially as threat actors have become increasingly well-funded by, or themselves include, governmental actors or other actors with significant means. We expect that sophistication of cyber-threats will continue to evolve as threat actors increase their use of AI and machine-learning technologies.
We have implemented robust processes to assess, identify, and manage cybersecurity risks, including potentially material risks, related to our internal information systems and our products. Our Board of Directors, our internal Risk Steering Committee, in conjunction with our Chief Security Officer ("CSO"), have direct oversight of our management of cybersecurity risks.
Our CSO and the Risk Steering Committee ("RSC") oversees our enterprise risk management process. Under the direction and supervision of our CSO, we conduct an annual comprehensive enterprise risk assessment, which includes details of our management of enterprise-wide risk topics, such as those related to cybersecurity risks. The Board of Directors receives the full results of the annual enterprise risk assessment, including an evaluation of cybersecurity risks presented, a detailed description of the actions we have taken to mitigate these risks, and an analysis of cybersecurity threats and incidents
19

across the industry. The CSO and RSC reviews the results of the enterprise risk assessment in detail with management on a regular basis and reports its findings, as needed, to the Board of Directors.
Our CSO, reporting to our Chief Technology Officer, and in conjunction with our IT Department, has principal responsibility for assessing and managing cybersecurity risks and threats, implementing the systems necessary to address such risks and threats and preparing updates for the Board of Directors. Our CSO has 3 decades of information technology and cybersecurity experience with the last 6 years leading the cybersecurity activities at Harte Hanks, as well as participating in numerous cyber readiness exercises with US Government agencies, and has specialized training in cybersecurity risk management, cloud security and holds a CISSP certification offered by ISC2. Our CSO is also responsible for the operation of our cybersecurity program, and management of our cybersecurity incident response team.
As mentioned above, in response to the increasing threats presented by cyber incidents, in 2020 we established the RSC, which meets regularly. This committee is comprised of our Chief Technology Officer, our General Counsel / Privacy Officer, our Head of Human Resources, each Director of Operations of each of our business units, our Chief Financial Officer and our Chief Executive Officer, as well as other key leaders. The RSC (in conjunction with the CSO), oversees activities related to the monitoring, prevention, detection, mitigation and remediation of cybersecurity risks. The RSC, along with our CSO, develops and implements cybersecurity risk mitigation strategies and activities throughout the year, including the management of comprehensive incident response plans, oversees the cybersecurity risks posed by third-party vendors, and receives regular updates on cybersecurity-related matters.
We have adopted the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework to continually evaluate and enhance our cybersecurity procedures. Activities include mandatory yearly online training for all employees, technical security controls, enhanced data protection, the maintenance of backup and protective systems, policy review and implementation, the evaluation and retention of cybersecurity insurance, periodic assessments of third-party service providers to assess cyber preparedness of key vendors, and running simulated cybersecurity drills, including vulnerability scanning, penetration testing and disaster recovery exercises, throughout the organization. These cybersecurity drills are performed both in-house and by third-party service providers. We use automated tools that monitor, detect, and prevent cybersecurity risks and have a security operations center that operates 24 hours a day to alert us to any potential cybersecurity threats. As noted above, our RSC also has effected comprehensive incident response plans that outline the appropriate communication flow and response for certain categories of potential cybersecurity incidents. The RSC escalates events, including to the Chief Executive Officer and Board of Directors, as relevant, according to pre-defined criteria.