ROBERT HALF INC. 10-K Cybersecurity GRC - 2025-02-13

Page last updated on February 14, 2025

ROBERT HALF INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-13 15:19:19 EST.

Filings

10-K filed on 2025-02-13

ROBERT HALF INC. filed a 10-K at 2025-02-13 15:19:19 EST
Accession Number: 0000315213-25-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As part of the Company’s broader information security program, the cybersecurity program includes a defense-in-depth model that utilizes a variety of techniques and tools for protecting against, detecting, responding to and recovering from cybersecurity incidents (“Incidents”). The Company’s cybersecurity program is designed to prioritize detection, analysis and response to known and anticipated cyber threats and effectively manage cyber risks and resilience against Incidents. The Company’s program aligns its program using portions of several industry and regulatory frameworks to measure its program and progress, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”), NIST 800-53, International Organization for Standardization Information Security Management Systems (“ISO 27001”), the CIS Critical Security Controls and the System and Organization Controls 2 Type 2 (“SOC2 Type 2”). Cybersecurity Governance The Company’s cybersecurity strategy and risk management is overseen by the Board of the Directors (the “Board”) and implemented and managed by the Company’s Enterprise Information Security Steering Committee, a cross-functional team of senior executives representing business functions across Robert Half and chaired by the Chief Information Security Officer (“CISO”). The CISO oversees the Enterprise Information Security team (“EIS”). Board Governance The Board views cybersecurity as part of the Company’s overall enterprise risk management function, which the Board oversees. The Board takes cybersecurity into account as part of the Company’s business strategy, financial planning and capital allocation. The Board oversees the Company’s information security program, which includes oversight of the cybersecurity program and management of cybersecurity risks. The Board receives annual updates from the Company’s CISO, and/or members of the executive leadership team. Such reports typically address, among other things, the Company’s cybersecurity strategy, initiatives, key security metrics, business response plans and the evolving cyber threat landscape, and a detailed threat assessment relating to information technology risks. Notice of potential material Incidents to the Board is provided for in the Cybersecurity Incident Playbook (the “Playbook”) and the Cybersecurity Incident Disclosure Control Procedure (the “Cyber Disclosure Procedure”). 13 Management Governance The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by the Enterprise Information Security Steering Committee, led by the CISO . The CISO leverages his 15-plus years of experience building and leading cybersecurity programs and teams. The CISO has experience as a Chief Information Security Officer in multiple industries and has received Certified Information Systems Security Professional (“CISSP”) and Certification in Risk Management Assurance (“CRMA”) certifications. The CISO is responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation and response to cybersecurity threats and incidents and is responsible for determining if the cybersecurity program is functioning effectively in the face of evolving cybersecurity threats. Members of the Enterprise Information Security Steering Committee also include the Global Data Privacy Officer, Chief Technology Officer, Chief Administrative Officer, the General Counsel and the Global Risk Officer of Protiviti. Specifically, the Enterprise Information Security Steering Committee typically meets at least four times per year, or with greater frequency as necessary, to: - review with management the Company’s cybersecurity threat landscape, risks and data security programs, and the Company’s management and mitigation of cybersecurity risks and incidents; - review with management the Company’s compliance with applicable information security laws and industry standards; - discuss with management the Company’s cybersecurity, technology and information systems policies, including the guidelines and policies established by the Company to assess, monitor and mitigate the Company’s significant cybersecurity, technology and information systems related risk exposures; and - review and provide oversight on the Company’s crisis preparedness with respect to cybersecurity, including Incident response preparedness, communication plans and business continuity capabilities. Senior management of many departments in the Company also engage in an annual tabletop exercise in order to test incident preparedness, review the effectiveness of the Playbook and maintain effective coordination in the event of a security incident. Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats The Cybersecurity Incident Response Team (“CIRT”) and/or the Crisis Management Team (“CMT”) utilize a Cybersecurity Incident Response Plan (the “CIRP”) and the Playbook to: (1) prepare for and protect against Incidents; (2) detect and analyze Incidents; and (3) contain, eradicate and appropriately report on cybersecurity events. In the event of an Incident, the CIRP provides a framework to coordinate the response. The CIRP and Playbook also address escalation protocols to senior management with respect to disclosure determinations related to an Incident and provides for Executive Team briefings as appropriate. If the CIRT’s initial investigation of the facts of an Incident indicates the need for escalation for potential disclosure, the CMT will utilize the process in the Playbook and the Cyber Disclosure Procedure will be utilized. The Playbook provides understandable and flexible processes for analyzing and responding to Incidents. In the event of an Incident, the Playbook provides the CMT with predefined steps to follow to respond to, and escalate, cyber security incidents, as appropriate. The Cyber Disclosure Procedure establishes a flexible and context-dependent process for determining whether an Incident constitutes a material issue pursuant to the rules and regulations of the SEC. A committee of senior management personnel is established to assess potential Incidents. Standing members of the Cyber Disclosure Committee (“CDC”) include the President and Chief Executive Officer, Chief Financial Officer, General Counsel, Global Privacy Officer and Chief Technology Officer. In considering the materiality of an Incident the CDC may consider the nature, extent and potential magnitude of the risks to the Company related to the Incident, particularly as it may relate to any compromised information or the business and scope of Company operations. If the CDC determines the Board should be notified, a meeting will be called with the Executive Committee of the Board, the Audit Committee Chair, the Board’s cybersecurity expert or any combination or subset of the foregoing. EIS conducts cybersecurity evaluations, reviews and due diligence of (i) critical vendors periodically and (ii) all new vendors prior to onboarding. Vulnerabilities in third-party providers’ information security environments and software are monitored and managed through EIS’ vulnerability management program. This program aggregates findings from the vulnerability detection and secure configuration management tools within a dashboard, which allows EIS personnel to focus on high priority matters. EIS employs a variety of measures to prepare for and protect against, and detect, contain and eradicate cybersecurity incidents and threats. The preparatory and protective measures EIS has in place include, but are not limited to, password 14 protection, multi-factor authentication, internal and external penetration testing, cybersecurity assessments, industry benchmarking, annual cybersecurity awareness trainings to employees, and social engineering awareness efforts. To detect and prevent Incidents, the cybersecurity program uses automated event-detection technology monitored by the cyber defense team, notifications from employees, vendors or service providers, and other tools. The Company has relationships with a number of third-party service providers to assist with Incident response and containment and remediation efforts, including a forensic investigation firm, insurance providers, auditors, consultants, assessors and various law firms. While the Company maintains a robust cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, the Company operates with, and plans for, the notion that it is impossible to prevent or detect all Incidents, that Incidents will occur, and that the Company will not always be able to detect threats in a timely manner or anticipate and implement adequate security measures. For additional information, see Item 1A. “Risks Related to the Company’s Information Technology, Cybersecurity and Data Protection.” Cybersecurity Risks The Company is currently not aware of any material cybersecurity incidents or threats that have impacted the Company or its business, financial condition, results of operations, employees or customers in the past fiscal year. However, the Company and its customers routinely face risks of Incidents, as the Company relies heavily on information technology systems. Although the Company makes efforts to maintain the security and integrity of the Company’s information technology systems, these systems and the proprietary, confidential internal and customer information that resides on or is transmitted through them are subject to the risk of a cybersecurity incident or disruption, and there can be no assurance that the Company’s security efforts and measures and those of the Company’s third-party providers will prevent breakdowns or incidents affecting the Company’s or the Company’s third-party providers’ databases or systems that could adversely affect the Company’s business.

Company Information