SPAR Group, Inc. - (SGRP)

10-K Filing Date: April 01, 2024
Item 1C. Cybersecurity

 

SPAR Group Inc. recognizes the increased global cybersecurity threats and sophisticated, targeted computer crime and the risk it poses to our operations. We rely on information technology and data to operate our business and develop, market and deliver our products and services to our customers.

 

Our cybersecurity risk management program is led by our Chief Information Officer (“CIO”), who is directly responsible for establishing cybersecurity strategies and structures and managing ongoing cybersecurity risk management activities. Our CIO is part of the executive management team, and updates our CEO and executive management on a monthly, or even more frequent, basis on cybersecurity enhancement and the development and implementation of our roadmap.

 

We have strategically embedded cybersecurity risk management within an enterprise-wide framework, ensuring that it permeates across various facets of our operations. This integrated approach encompasses administrative protocols, operational strategies, organizational structures, physical safeguards, and technical measures, all tailored to align with the scope and nature of our business.

 

17

 

Cybersecurity Risk Management and Strategy

 

We believe this integrated approach allows cybersecurity considerations to be an integral part of our decision-making processes. Our day-to-day cybersecurity work is led by our CIO and Head of Infrastructure. Both are highly experienced professionals. This group works closely with our executive management to continuously evaluate and address cybersecurity risks in alignment with our business and operational needs.

 

Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through a combination of third-party assessments, internal audit, IT security, governance, risk and compliance reviews. To defend, detect and respond to cybersecurity incidents, we, among other things:

 

 

Proactively review threat intelligence and other information obtained from governmental, public or private sources
 

Perform network vulnerability scans, cyber-hygiene assessments, and continually evaluate and address perceived gaps.

 

Conduct companywide cyber awareness training and on-going new employee cyber training.

 

Deploy a wide array of industry leading 3rd party solutions to continuously monitor network and endpoints.

 

On-going testing and evaluation of backup processes.

 

Perform disaster recovery tabletop exercises to assess readiness for possible events.

 

As noted, to operate our business, we utilize certain third-party service providers to perform a variety of functions and provide certain security-related services, such as outsourced business critical functions, professional services, SaaS platforms, managed services, cloud-based infrastructure, data center facilities, content delivery to customers, encryption and authentication technology, corporate productivity services, and other functions; as well as third parties that assist us to identify, assess and manage cybersecurity risks, including professional services firms, threat intelligence service providers, cybersecurity software providers, penetration testing firms and other vendors that help to identify, assess or manage cybersecurity risks.

 

In addition, we have implemented an incident response and breach management plan which has four overarching and interconnected stages:

 

Detection of a security incident,

 

Identification and containment,

 

Response, eradication and recovery,

 

Post-incident analysis and future preparations.

 

The plan also provides the process and workflow of communication for escalation of incidents to executive leadership to determine incident classification, impact severity, and if and what further actions are warranted. Incident responses are overseen by leaders from our Software, Infrastructure Engineering, and Executive team.

 

Cybersecurity Governance

 

Cybersecurity holds a significant role within our risk management procedures and remains a focal point for our Board and management. Under the Board's oversight of general risk identification and management activities, the Audit Committee specifically monitors cybersecurity risks. Committee members engage in comprehensive discussions with management regarding these risks, as well as the measures taken to safeguard the company's information systems and security, along with reviewing management's steps towards data privacy protection. Additionally, the Audit Committee receives annual cybersecurity updates from senior management, covering both existing and emerging risks, management's responses and mitigation efforts, any cybersecurity or data privacy incidents, and the status of key information security initiatives. Furthermore, our Board members regularly hold informal discussions with management about cybersecurity news events and any updates to our cybersecurity risk management and strategy programs.

 

The leadership of our cybersecurity risk management and strategy is guided by experts from our Software, Infrastructure Engineering, and Executive teams. With backgrounds spanning: information technology, security, systems, programming, and corporate strategy, these individuals are equipped to oversee prevention, detection, mitigation, and remediation of cybersecurity incidents. They actively engage in managing our cybersecurity risk processes, including executing our incident response plan, and regularly report relevant matters to the executive management and the Audit Committee.

 

We carry insurance that provides protection against the potential losses arising from a cybersecurity incident. However, there is no assurance that our insurance coverage will cover, or be sufficient to cover, all losses or claims that may result from a cybersecurity incident.

 

18

 

Last year

 

During the last fiscal year, 2023, the Company did not encounter any material cybersecurity incidents, nor did it incur any notable expenses as a result.