The Company implements processes to assess and manage risks associated with using third-party information system service providers. This risk assessment process assesses both the service provider's security posture as well as the security controls available from the third-party information system. The service provider’s security posture assessment includes reviewing any third-party attestations as well as third-party controls in the following areas: assets, data flows, authentication, access, monitoring, response and recovery. Depending on the type of system or data assessed, additional controls may be added to the service provider's security posture assessment. The Company maintains an Incident Response Plan that includes processes for detecting, containing and responding to incidents including processes for reporting incidents to management and the Board of Directors. The Company periodically performs simulations and tabletop exercises at a management level and incorporates external advisors as needed. The Company engages third-party service providers to conduct evaluations of its security controls, whether through penetration testing, independent audits or consulting on best practices to address cybersecurity risks. Assessing, identifying and managing cybersecurity-related risks is integrated into the Company's overall Enterprise Risk Management (ERM) program. Cybersecurity related risks are included in the risk universe that the ERM program evaluates to assess top risks to the enterprise on an annual basis. To the extent the ERM process identifies a heightened cybersecurity related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. Governance — The Board of Directors is responsible for general oversight of the Company's risk management program, including cybersecurity risks. Annually, senior management updates the Board of Directors on the Company's ERM program, including identified material risks and corresponding mitigation strategies. The Audit Committee of the Board of Directors oversees management's processes for identifying and mitigating risks, including cybersecurity risks, to help align the Company's risk exposure with its strategic objectives. The CIO provides periodic updates to the Audit Committee on the status of the Company’s cybersecurity risk management program; the Company’s information systems, cybersecurity and other risks; and the steps management has taken to identify, monitor and mitigate such risks. The Audit Committee is also briefed on cyber crisis contingency planning, incident recovery capabilities and matters related to any material cybersecurity incident the company may experience. The Company's business strategy, results of operations and financial condition have not been materially affected by cybersecurity threats, including as a result of previously identified cybersecurity incidents, but the Company cannot provide assurance that it will not be materially affected in the future by cybersecurity risks, threats or incidents. See Item 1A under the caption "Increased cybersecurity threats and more sophisticated computer crime pose a risk to our systems, networks, operations, products and services." for additional information on cybersecurity risks applicable to the Company.
24
Made with FlippingBook Digital Proposal Creator