LIQUIDITY SERVICES INC 10-K Cybersecurity GRC - 2024-12-12

Page last updated on December 12, 2024

LIQUIDITY SERVICES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-12 14:01:14 EST.

Filings

10-K filed on 2024-12-12

LIQUIDITY SERVICES INC filed a 10-K at 2024-12-12 14:01:14 EST
Accession Number: 0000950170-24-135700

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy The protection of our clients’ data, our brand, and our systems is of utmost importance. We are subject to governmental regulation and other legal obligations, particularly related to privacy, data protection and information security. We have developed comprehensive cybersecurity and data privacy programs across our employee groups and systems, building a culture of cybersecurity and data privacy awareness throughout the organization. In 2024, we achieved both SOC2 Type 1 and TX-Ramp certifications, reflecting our commitment to supporting our clients by aligning our controls and processes with the System and Organization Controls (SOC) compliance framework established by the American Institute of Certified Public Accountants (AICPA). Our process to assess, identify and manage material risks from cybersecurity threats include potential threats associated with third-party service providers, including cloud-based platforms. On an annual basis, we review the SOC2 (or equivalent) attestation of controls for material third-party service providers, coupled with monitoring industry notices and threat intelligence regarding potential vulnerabilities or threats targeting these third-party services. We developed our cybersecurity program by integrating proactive training, vulnerability management, and system design with active threat defense mechanisms. Our marketplace services are protected by multiple layers of security, employing a “defense in depth” 34 approach to asset protection that is backed by AI-powered threat detection and response systems and actively monitored 24/7 by a dedicated team of security professionals. This same organization provides proactive notification and consultation on emerging threats and potential mitigation. In addition, we undertake integrated planning activities to support business continuity and operational resiliency. We assess our program’s effectiveness through various exercises, including active Disaster Recovery production environment tests, tabletop exercises, continuous vulnerability tests, and annual penetration testing. We conduct company-wide mandatory cybersecurity training as well as periodic employee education exercises, such as phishing simulation email campaigns designed to emulate real-world attacks. We view cybersecurity protection and data privacy as a shared responsibility in which all employees are active participants. Each employee undergoes annual cybersecurity training with supplemental training disseminated throughout the year. This continual education helps promote a culture that understands the critical role cybersecurity and data privacy play in protecting our clients’ assets. Furthermore, our computing environments, products, and services are reviewed by our internal security team and our controls are tested regularly by independent third-party assessors as part of our annual SOC2 and SOX re-certifications. Cybersecurity Governance Board and Committee Oversight . Our Board of Directors is responsible for oversight of the Company’s cyber risk management program, including risk identification, mitigation strategy and efforts, and resources. The Audit Committee of the Board of Directors is responsible for reviewing the Company’s financial reporting of cybersecurity risks and incidents in accordance with SEC rules. We will continue to invest in our security infrastructure to ensure it meets or exceeds industry standards for cybersecurity and employ dedicated resources to protect our systems. Management’s Role . Our Internal security team in conjunction with the Chief Technology Officer (CTO) reviews current risks with a cross-functional leadership committee on a quarterly basis. We are not currently aware of risks from known cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For additional information regarding cybersecurity risks, see the risk factor in Part I, Item 1A. Risk Factors captioned: " We are required to maintain the privacy and security of personal and business information amidst multiplying threat landscapes and in compliance with privacy and data protection regulations globally. Failure to do so could damage our business, including our reputation with sellers, buyers, and employees, cause us to incur substantial additional costs, and make us subject to litigation and regulatory action ."

Company Information