SCHOLASTIC CORP 10-K Cybersecurity GRC - 2024-07-19

Page last updated on July 19, 2024

SCHOLASTIC CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-07-19 16:04:32 EDT.

Filings

10-K filed on 2024-07-19

SCHOLASTIC CORP filed a 10-K at 2024-07-19 16:04:32 EDT
Accession Number: 0000866729-24-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C | Cybersecurity Risk Management and Strategy The Company is dedicated to upholding strong cybersecurity measures to protect its operations, data, and stakeholders’ interests. By keeping a close eye on the cybersecurity landscape, the Company is able to adjust its strategies and governance practices to minimize risks in this rapidly changing area. The Company has embraced the NIST-CSF as a blueprint for its cybersecurity program since 2018. This framework’s key domains guide the establishment and continuous improvement of processes to identify, assess, and manage cyber risks and threats. The Company’s controls are routinely monitored by its Security Operations Center. Its cybersecurity program, security posture, incident response, and security awareness training are tested by an external party to evaluate their effectiveness and maturity rating. The Company maintains a comprehensive cybersecurity risk management program designed to identify, assess, manage, and mitigate cybersecurity risks. This program provides a framework for addressing threats and incidents, including those associated with third-party service providers. To secure its technology environment, the Company leverages the latest software and security capabilities, employing a defense-in-depth and layered strategy. This includes deploying next-gen endpoint detection and response, network anomaly detection, and multi-factor authentication across most of its environment. Additionally, the Company engages with third-party consultants and utilizes threat intelligence services to assist in its oversight and risk identification efforts. Furthermore, all employees and consultants with access to the Company’s information systems are required to complete annual data protection and cybersecurity training, as well as ongoing phishing simulation exercises, as part of a broader training. Based on the information known as of the date of this Annual Report on Form 10-K, the Company does not believe that any cybersecurity incident experienced has materially affected or is reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. For additional information about cybersecurity risks, see Item 1A. “Risk Factors.” Governance The Board of Directors is responsible for the overall oversight of the Company’s enterprise risk management. The Board of Directors receives regular updates on the key risks to the organization on a quarterly basis. The Board of Directors has delegated oversight of cybersecurity risks to the Technology, Data and Supply Chain Committee. The Technology, Data and Supply Chain Committee receives quarterly cybersecurity updates from the Company’s Chief Information Officer (CIO) and Chief Information Security Officer (CISO), which include updates on the Company’s cybersecurity policies and strategies, cyber risk posture, improvements and threats, the status of projects designed to continuously improve the Company’s information security systems, assessments of the Company’s security program, employee training and awareness programs, emerging threat landscape and engagement with external cybersecurity experts and advisors, as needed. Management’s Role Management is responsible for day-to-day risk management activities, including identifying and assessing cybersecurity risks, establishing processes to ensure that potential cybersecurity risk exposures are monitored, implementing appropriate mitigation or remediation measures and maintaining cybersecurity programs. Risk mitigation strategies and key performance indicators are defined, and tracked, as part of the quarterly internal reporting. The Information Security & Compliance team consists of subject matter experts in the field on Information Security, Risk Management, Compliance and Data Protection. The Information Security & Compliance team monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents through a variety of technical and operational measures, and regularly report to the CISO. The CISO is part of the senior management team and regularly updates the Technology and Data Management Committee on the Company’s cybersecurity program, including cybersecurity risks, incidents, and mitigation strategies. The Information Security & Compliance team is led by the Executive Director, Information Security and Compliance, who has 27 years of experience in IT and Security, including business risk management and cybersecurity, and reports to the Chief Information Security Officer (CISO), who has over 26 years in information technology and security roles. The Information Security & Compliance team has established processes and procedures that guide and enable continuous monitoring, detection, prevention, mitigation, and remediation of cybersecurity incidents. These processes are carried out using various security platforms tools, capabilities and strategies including tests of the Company’s information security program, tabletop exercises, penetration and vulnerability testing, disaster recovery (DR) simulations, and other exercises to evaluate the effectiveness of the information security program and improve the 16 security measures and planning. The Incident Response team utilizes procedures that identify escalation paths when security events are identified. Incident priorities dictate the escalation of events and how an Incident manager reports them, to the executive leadership team within the Company, and the Board of Directors. Cybersecurity risks remain a persistent challenge, as the threat landscape continues to evolve alongside technological advancements. While diligent efforts are made, complete risk elimination or incident assurances are not feasible.

Company Information