RESOURCES CONNECTION, INC. 10-K Cybersecurity GRC - 2024-07-22

Page last updated on July 22, 2024

RESOURCES CONNECTION, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-07-22 15:55:32 EDT.

Filings

10-K filed on 2024-07-22

RESOURCES CONNECTION, INC. filed a 10-K at 2024-07-22 15:55:32 EDT
Accession Number: 0001084765-24-000089

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. We have developed an enterprise-wide strategy that we use to assess, identify, and manage material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, malicious attacks, improper employee or contractor access, harm to employees or customers and violation of data privacy, intellectual property or security laws. Our enterprise risk management program incorporates risks related to cybersecurity threats alongside other company risks as part of our overall risk assessment process. We also employ a cybersecurity-specific risk assessment process. Our cybersecurity risk strategy uses an Information Assurance Program to define the general security policy for our information systems and a Cybersecurity Incident Response Plan for detection, response, recovery, containment, investigation, and analysis following a cybersecurity incident, as well as compliance with legal and regulatory requirements. Our Information Assurance Program addresses the security of information systems and data networks owned or used by us and the information stored, transmitted, or processed by those systems and networks. It defines responsibilities concerning information systems security as well as a uniform approach that promotes information systems security throughout the Company. Our Cybersecurity Incident Response Plan is an enterprise-wide cybersecurity strategy that focuses on detecting and reacting to cybersecurity incidents, determining their scope and risk, responding appropriately, communicating the results and risk to stakeholders, and reducing the likelihood of reoccurrence. To enhance our in-house capabilities, we leverage expertise from professional services firms and/or outside counsel, as needed, to assess our cybersecurity controls, and inform and collaborate on an ever-changing landscape. We maintain systems that are designed to preempt, detect and monitor cybersecurity threats, including monitoring unusual network activity. As part of our risk management processes, we also perform penetration testing using third-party vendors, conduct periodic cybersecurity awareness training for employees, deploy phishing test campaigns, maintain containment and incident response tools, and periodically review, update and enhance our Cybersecurity Incident Response Plan. We utilize various methods to assess and manage risks associated with third-party service providers, which may be reevaluated periodically, such as upon detection of an increase in a third-party’s risk volume and variability. Further, our Code of Vendor Conduct & Ethics sets forth our expectations for third-party vendors related to data privacy and protection. As of the date of this Annual Report on Form 10-K, we do not believe that known risks from cybersecurity threats, including as a result of any previous cybersecurity incident that we are aware of, have materially affected or are reasonably likely to materially affect us, including our business strategy results of operations or financial condition. However, we can give no assurance that we have detected or protected against all such cybersecurity incidents or threats or that we will not experience such an incident in the future. Further details about the cybersecurity risks we face are described under " Risks Related to Information Technology, Cybersecurity and Data Protection " in Item 1A. “Risk Factors” of this Annual Report on Form 10-K. Cybersecurity Governance Our Cybersecurity Incident Response Plan is overseen by our Cybersecurity Incident Response Team (“CSIRT”), which is led by our Chief Information Officer (“CIO”). Our CIO is an information technology executive with over 20 years of CIO and Chief Technology Officer experience at publicly traded and privately held companies. His experience has included cybersecurity leadership throughout his executive career. The CIO, the Vice President of Information Technology, the virtual Chief Information Security Officer, and other members of the CSIRT, are responsible for the Company’s cybersecurity risk management processes described above, including maintaining systems that are designed to preempt, detect and monitor cybersecurity threats, as well as identifying and responding to cybersecurity incidents. Our Board of Directors, through the Audit Committee, oversees the management of our technology-related risks, including information security, data protection, cybersecurity, vendor, fraud, and business continuity risks, and technology-related strategies. The Audit Committee receives updates from the CIO on a quarterly basis, and more frequently as needed, regarding, among other relevant information, existing and new cybersecurity risks, the management and/or mitigation of such risks, material cybersecurity incidents (if any), and status on key cybersecurity initiatives. Our Board of Directors, through the Audit Committee, also actively participates in discussions with management on cybersecurity-related news events and discusses any updates to our cybersecurity risk management and strategy programs on a timely basis.

Company Information