Page last updated on November 12, 2024
FRANKLIN COVEY CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-12 15:47:23 EST.
Filings
10-K filed on 2024-11-12
FRANKLIN COVEY CO filed a 10-K at 2024-11-12 15:47:23 EST
Accession Number: 0000886206-24-000060
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
ITEM 1C . CYBERSECURITY Cybersecurity risk management is a key component of our overall risk management efforts at Franklin Covey. We have implemented a layered cybersecurity program to assess, identify, and manage risks from cybersecurity threats that may have material effects on the confidentiality, integrity, and availability of our information systems, networks, and offerings. Cybersecurity risk is addressed at both management and Board of Director levels as described below. Management’s Role in Assessing Cybersecurity Risk and Directing Strategy At the management level, primary responsibility for assessing and managing cybersecurity threats and material risks rests with our Chief Information Officer (CIO), who reports directly to our Executive Vice-President of Operations. Our CIO has over two decades of experience in information technology and cybersecurity and is a Certified Information Systems Security Professional (CISSP). The CIO leads a team of five other information system professionals, three of whom also have CISSP credentials. Our CIO and cybersecurity team are responsible for understanding, managing, and communicating cybersecurity risk to our management and works with our legal department to oversee compliance with various legal, regulatory, and contractual cybersecurity requirements. Our cybersecurity program is aligned with the National Institute of Standards and Technology (NIST) 800 Cybersecurity Framework and uses a layered strategy, relying on technology and human processes to safeguard our systems and client data. Our cybersecurity strategy utilizes numerous layers of security controls, processes, and procedures across our information systems and networks, including but not limited to, multi-factor authentication, identity access management, endpoint security, mobile security, application security, network security, web security, and encryption. We also use systems and processes designed to reduce the impact of a security incident at a third-party vendor or customer. Additionally, we use processes to oversee and identify material risks from cybersecurity threats associated with our use of third-party technology and systems, including technology and systems we use for encryption and authentication; employee email; content delivery to customers; back-office support and operations; and other functions. The Company provides ongoing mandatory cybersecurity training for associates that is intended to help them understand cybersecurity risks and comply with our cybersecurity policies. We engage third party professionals to assess our cybersecurity program and to perform audits of portions of our cybersecurity control environment based on risk or where necessary to ensure regulatory compliance. In addition, our internal audit function regularly meets with the cybersecurity team and is implementing a program to periodically test the control framework and operation of our cybersecurity incident response plan. The results of these tests will be presented directly to the Audit Committee of the Board of Directors. The cybersecurity team meets frequently to monitor the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents. In the event of a cybersecurity incident, we have developed an incident response plan which is designed to “respond, restore, and resume” operation of our information systems and platforms. Our incident response plan also governs our immediate response to attacks, including detection, notification, escalation, assessment, and remediation efforts. The cybersecurity team routinely tests the incident response plan across the organization to validate the procedures for appropriately assessing and escalating risks and incidents. Our cybersecurity team may also coordinate its incident response efforts with external advisors and key stakeholders if necessary. Board of Director Oversight The Audit Committee of the Board of Directors has the primary responsibility for cybersecurity risk oversight, including risk priorities, resource allocation, and oversight structures. The Audit Committee and Board of Directors receive regular reports from the CIO on a variety of topics including cybersecurity strategy, the threat landscape, recent developments and trends, and key initiatives. Our incident response plan includes documented protocols which govern established reporting thresholds for escalating cybersecurity incidents within the Company and where appropriate, to the Audit Committee or full Board of Directors. Cybersecurity Risks, Threats, and Incidents While we have not experienced any material cybersecurity incidents, there can be no guarantee that we, or any third parties with which we interact, will not be the subject of future successful attacks, threats, or incidents. We rely significantly on information technology for the operation of our business, including our All Access Pass and Leader in Me portals. For more information on cybersecurity risks we face, refer to Part I, Item 1A Risk Factors under the section entitled Cybersecurity and Information Technology Risks , which should be read in conjunction with the information presented in this Item 1C.
Item 1C.
Company Information
| Name | FRANKLIN COVEY CO |
| CIK | 0000886206 |
| SIC Description | Services-Management Services |
| Ticker | FC - NYSE |
| Website | |
| Category | Accelerated filer |
| Fiscal Year End | August 30 |