KORN FERRY 10-K Cybersecurity GRC - 2024-06-28

Page last updated on July 16, 2024

KORN FERRY reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-28 15:09:13 EDT.

Filings

10-K filed on 2024-06-28

KORN FERRY filed a 10-K at 2024-06-28 15:09:13 EDT
Accession Number: 0001628280-24-030470

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have an established cybersecurity risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. Our cyber risk management program is designed to protect the confidentiality, integrity and availability of our systems and the data of our clients, candidates and company. This program and its processes are an integral component of our enterprise risk management (“ERM”) program. Our cybersecurity program leverages several industry and regulatory frameworks, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, International Organization for Standardization Information Security Management Systems (“ISO 27001”), and the Center for Internet Security Critical Security Controls. Our approach to protecting our systems uses the concept of defense in depth, providing multiple layers of defense, monitoring, and controls. It is a mutually supporting environment of fit-for-purpose technology, established processes, trained security and operations personnel, and supporting external services. As of the date of this report, we have not experienced a cybersecurity incident that has materially affected us, including our business strategy, results of operations or financial condition. While we have not experienced any material cybersecurity threats or incidents, there can be no guarantee that we will not be the subject of future successful attacks, threats or incidents. Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations, or financial condition, but we face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to have such an effect. Additional information on cybersecurity risks we face can be found in Item 1A " Risk Factors " under the heading “Risks Related to Technology, Cybersecurity and Intellectual Property,” which should be read in conjunction with the foregoing information. People Our global security team is led by our Global Vice President Security who reports to the Chief Information Officer. Our Chief Information Officer has more than three decades of technology, security and leadership experience across both the public 25 and private sector. The Global Vice President Security leads the strategy and execution of our cybersecurity program, has more than two decades of dedicated security experience, and holds multiple security qualifications including Certified Information Systems Security Professional (“CISSP”). He leads an experienced security team, organized and geographically structured with the goal of maximizing responsiveness and coverage for our global enterprise. The team is additionally supported through external services and on demand incident response capabilities. These capabilities include pre-established relationships with industry leading providers for incident containment, forensic analysis, systems recovery, legal advice, and external communications assistance. Technology Korn Ferry has invested in a spectrum of security tools and capabilities designed to prevent compromise of our systems and data. These solutions are selected from well recognized industry leaders and encompass a wide range of security capabilities including, among other things, threat detection, prevention, system monitoring, logging, vulnerability assessment, incident and event management, system and cloud configuration and permission management. To validate the effectiveness of our security capabilities and our supporting environment we assess them across multiple dimensions. This includes the use of independent external third-party security firms to conduct external and internal penetration tests, vulnerability assessments, and audits. Process We leverage a structured process framework based on ISO 27001 to minimize cyber risks and facilitate continuous improvement. We adhere to the principle of least privilege when provisioning access to systems, seeking to limit potential abuse of system privileges by internal or external threats. We train our employees annually in cybersecurity awareness and responsibilities and we engage them throughout the year with phishing awareness exercises, additional focused training, and messaging about current and persistent threats. Employees with privileged access to systems are further trained in security-by-design principles, centered on best practices for securely developing and managing software systems. Our software development processes are governed by a structured systems development lifecycle process that is designed to review new features and system changes for adherence to security requirements prior to deployment. Our systems are further protected via a regular cadence of patching and prioritized vulnerability remediation. Lastly, the use of third-party software in our environment is governed by our third-party risk management (“TPRM”) program, which is designed to assess and remediate cyber and business risks associated with vendor-provided software and services. Integral to our cybersecurity processes is our Security Incident Response Plan (“SIRP”), designed to facilitate the timely and accurate reporting of any material cybersecurity incident. The incident management process is designed so that incidents are appropriately categorized and escalated to the Security Incident Response Team (“SIRT”) for action and materiality determination. Our SIRT is comprised of senior executives including the Chief Financial Officer, Chief Information Officer, Global Vice President Security, Co-Chief Privacy Officers, General Counsel and other members as required depending on the nature of the incident. In addition to managing escalated incidents, the SIRT conducts tabletop exercises to simulate various threat scenarios, and outcomes are used to build experience and to refine the SIRP and response approaches. Korn Ferry has also maintained cyber insurance for more than a decade. Korn Ferry has been certified by the British Standards Institute (BSI) to ISO/IEC 27001 and ISO/IEC 27018 for our key technology platforms and processes across global operations. Governance Board of Directors Oversight Our Board is responsible for the oversight of the Company’s overall ERM program, which includes cybersecurity risks. The Board is briefed at least annually by the Chief Information Officer on the readiness and efficacy of the cybersecurity program. These briefs include a review of the Company’s cybersecurity initiatives, key security metrics, business continuity and disaster recovery plans and updates on evolving cyber threats and mitigation plans. These briefs also review significant updates to procedures, policies, and controls used to identify, manage, and mitigate cybersecurity risks. The Board is supported in this oversight by the Audit Committee, which receives regular updates from members of the executive leadership team including the Chief Financial Officer, General Counsel, Chief Information Officer, and the Senior Vice President Internal Audit on emerging cybersecurity risks and issues. Management Oversight Management regularly assesses and identifies potential cybersecurity risks as a key component of the Company’s ERM program. The Company’s cyber risks are reviewed and prioritized as part of the annual Enterprise Risk Assessment and ongoing quarterly reviews. Changes in these risks are communicated at least quarterly to the Audit Committee. Management further enables regular reviews of systemic, emerging, and ongoing security and data privacy risks through a standing body, the Privacy and Security Executive Committee (“PEC/SEC”) which meets quarterly and whose reporting is used to inform the Audit Committee and annual reporting to the Board of Directors. The PEC/SEC is comprised of senior management including the Chief Financial Officer, Chief Information Officer, Global Vice President Security, Co-Chief Privacy Officers, Chief Human Resources Officer, General Counsel and other senior leaders as required. 26

Company Information