MAXIMUS, INC. 10-K Cybersecurity GRC - 2024-11-21

Page last updated on November 21, 2024

MAXIMUS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-21 14:19:02 EST.

Filings

10-K filed on 2024-11-21

MAXIMUS, INC. filed a 10-K at 2024-11-21 14:19:02 EST
Accession Number: 0001032220-24-000094

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Cybersecurity forms a critical component of the services we provide to our customers. We collect and utilize many different types of information, including financial, medical, human resources, and other personal information. Federal and state laws and regulations, contractual obligations, and national and international industry standards, impose obligations on us to protect the confidentiality, integrity, and availability of information relating to employees, clients, vendors, patients, and citizens. We maintain an Information Security Office (ISO), whose mission is to protect the confidentiality, integrity, and availability of data through administrative, technical, and physical safeguards. Identifying, assessing, and managing cybersecurity related risks are integrated into our overall enterprise risk management (ERM) process, which is our approach to identifying, assessing, and mitigating major risks. Cybersecurity threats are evaluated based on our perceived vulnerability to a particular threat and the potential impact such a threat could have, with mitigation efforts focused on the highest risks. This risk assessment is updated no less than annually and reviewed by the Board of Directors. We have experienced cybersecurity incidents that were immaterial and, as previously disclosed, in the third quarter of fiscal year 2023, we experienced a material cybersecurity incident as the personal information of a significant number of individuals was accessed by an unauthorized third-party exploiting a zero-day vulnerability in a third-party vendor’s file transfer application used by many organizations, including us. We have recorded expenses in connection with the investigation and remediation activities related to this incident; further details are included in “Note 15. Commitments and Contingencies” in Item 8 of this Annual Report on Form 10-K. To date, we are not aware of any other cybersecurity incidents that have had a material effect on our business. Despite our preventative and remediation efforts, we may continue to experience cybersecurity incidents in the future. There can be no guarantee that such efforts will be sufficient to protect the company’s information systems, information, and other assets from significant harm and that future cybersecurity incidents will not have a material adverse effect on the company or its results of operations or financial condition or cause reputational or other harm to the company. Refer to Item 1A of this Form 10-K, which includes a section on “Risks Pertaining to Data and Data Security,” for further discussion of the associated risks. We engage third parties to conduct independent cybersecurity assessments. The assessments include technical control reviews of new technologies, penetration testing, and ongoing monitoring of our security posture. We also rely on third parties to conduct annual audits to maintain cybersecurity certifications, such as ISO27001 and Cyber Essentials. As a government contractor, we are also subject to numerous Service Organization Control (SOC) audits each year to fulfill contractual requirements. The ISO manages our security vendor risk management program. Each vendor’s cybersecurity risk is ranked using a risk tiering calculator. The calculator is designed to provide a consistent methodology for evaluating key risk factors, such as the type of service or product the vendor provides and the location and classification of data. For high- and moderate-risk vendors, an assessment is completed that includes reviewing external audits and certifications (e.g., SOC 2 Type 2 audit, ISO27001 and associated Statement of Applicability, FedRAMP authorization). As needed, an industry-standard questionnaire is completed by the vendor and the results assessed by ISO in an effort to ascertain information security maturity and overall posture. High-risk vendors are re-evaluated annually while moderate-risk vendors are evaluated every three years. Ongoing monitoring is in place for all high, moderate, and low risk vendors using an external service that rates the cybersecurity posture of corporate entities using a scored analysis of cyber threats. We are in the process of implementing an enterprise-wide third-party risk management program that expands the review of vendors and includes financial and operational screening. This new solution is designed to help ensure compliance with the National Institute of Standards and Technology (NIST) supply chain risk framework that is required when supporting federal agencies. Governance Board’s Roles and Responsibilities Oversight for risk management and the overall enterprise risk management strategy of the Company, including cybersecurity, is the responsibility of the Board of Directors. Risks identified are monitored by the Board as a whole or the Board may delegate oversight to a specific subcommittee. Our Technology Committee, comprised of four board members possessing relevant background and experience, assists the Board of Directors in its oversight role with respect to strategy and risk management for our information systems, information technology, or IT, and IT security, including cybersecurity. The Technology Committee is briefed at least quarterly, on the quality and effectiveness of our cybersecurity practices and policies, information security program and infrastructure, and data governance and security program, along with key initiatives in this area. The Technology Committee also assesses the cybersecurity risk management strategy. This assessment includes reviews of the results of audits, testing, and metrics, including reports of third-party reviewers. In the event of a cybersecurity incident, we have an incident response process and an escalation process in place to promptly identify, notify and brief the Board, including the Chair of the Technology Committee, outside of the regular reporting process in the event of an emerging or potentially material cybersecurity incident. The Board of Directors may choose to delegate responsibility for oversight of a particular cybersecurity matter to the Technology Committee in its discretion. Management’s Roles and Responsibilities Our cybersecurity response is handled by our information security team and managed by our Chief Information Security Officer (CISO), who reports to the Chief Financial Officer. Our CISO has over thirty years of business and technical experience in information risk, risk management, and regulatory compliance, including twelve years in a CISO role. Our information security team manages risks by establishing policies and procedures that manage information system access appropriately. These policies and procedures are tested through internal exercises and with external assistance and supplemented by training and communication to our employees and subcontractors. Cybersecurity threats are constantly evolving, which drives the evolution of our responses. Typical activities for our information security team include system monitoring, new hire and annual training, testing and evaluation, including “phishing” exercises, and publication of tips and best practices. The results of this testing are communicated company-wide, including to the Technology Committee of the Board of Directors. Our CISO reports to the Technology Committee as requested, but no less than quarterly.

Company Information