KFORCE INC 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

KFORCE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 16:06:11 EST.

Filings

10-K filed on 2025-02-21

KFORCE INC filed a 10-K at 2025-02-21 16:06:11 EST
Accession Number: 0000930420-25-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Risk Management and Strategy Our cybersecurity program helps us secure our systems, keeps our business running around the clock and protects our clients, consultants, employees and shareholders from vulnerabilities and threats. We acknowledge the importance of assessing, identifying, and managing material risks associated with cybersecurity threats including: operational disruptions; violation of data privacy laws and regulations; breach of confidentiality; and financial and reputational harm. With oversight from our Board, the Audit Committee, a special working group comprised of two of our Board members, and key leaders across Kforce, we have put proactive measures and systems in place to protect our information assets from unauthorized use or access, including annual employee training. The Firm’s cybersecurity framework is based on the National Institute of Standards and Technology (“NIST”). Governance Management Oversight Our Chief Information Security Officer (“CISO”) leads our Information Security and Data Privacy Council, which meets quarterly, or more frequently if necessary, to assess, identify and manage cybersecurity threats, support advocacy programs and advise our Chief Information Officer (“CIO”) and CISO on solutions. The council is made up of key members of senior management across the Firm, including enterprise security, human resources, legal, internal audit, finance, procurement, communications and field management. Our enterprise security team monitors and manages system infrastructure to protect the Firm against cyber threats. Our Cyber Risk Management program considers risks from many sources including, but not limited to, alerts, threat intelligence sources, risk assessments, and vulnerability management. Our Cyber Risk Management process includes risk assessment processes to identify risks, a risk evaluation process that includes risk acceptance or denial at all levels of the organization, and third-party vendor management where each vendor’s security posture is assessed to understand how it strengthens Kforce’s cyber supply chain. We have taken a comprehensive defense-in-depth approach to the implementation of our cybersecurity controls. These controls are set to block and/or provide alerts on suspicious activities. Our around-the-clock security operation center responds as appropriate to risks identified and performs the risk assessment and risk evaluation. Our risk register and risk remediation processes help us ensure we are tracking and addressing priority risks, as appropriate. Any potential risks or threats identified by the enterprise security team are communicated to the CISO, Information Security and Data Privacy Council and other senior leaders as appropriate. Our Vice President of Internal Audit, in collaboration with our General Counsel, facilitates our enterprise risk management (“ERM”) process. Cybersecurity-related risks are included in our overall risk evaluation for our ERM process to determine top risks for the Firm on an annual basis. Our internal audit team, which reports directly to the Audit Committee, uses the ERM program to develop a risk-based audit plan, which is approved by the Audit Committee annually. Our CIO is accountable for the Firm’s cybersecurity and data privacy programs and is supported by the CISO. Our CIO and CISO have over 35 and 25 years, respectively, of experience in information security and program management, and have both served over 10 years in our corporate information security organization . Under the guidance of the CIO, the CISO manages day-to-day operations of the security and data privacy functions and proposes changes to the Firm’s cybersecurity strategy, which is part of our overall information technology strategy. The CIO and CISO meet frequently to discuss cyber and data operations, privacy programs and risks. Each of these teams remain in close coordination to ensure risk mitigation strategies are designed and operating effectively. Board Oversight The Board is actively engaged in the oversight of cybersecurity and data privacy. The Audit Committee assists the Board in meeting its responsibility to oversee cybersecurity and data privacy strategies and practices. On a quarterly basis, the Audit Committee receives updates on (a) our progress meeting objectives established in our cybersecurity maturity roadmap, (b) relevant reported cybersecurity events in the overall market (and for Kforce, if any) and evolving risks, (c) results of work performed by our information security organization (ex. penetration tests, cybersecurity program maturity assessments) and (d) detailed reports of cybersecurity trends within the Firm. We engage subject matter experts in conducting independent assessments of our cybersecurity program maturity, penetration tests and other tests and assessments. Senior management, including our CIO and CISO, brief the Board on an annual basis on our cybersecurity and information security posture and cybersecurity incidents deemed to have a moderate business impact (even if the incidents do not rise to the level of being material). Annually, the Board and management participate in a strategy discussion on cybersecurity. To further enhance the Board and Audit Committee’s role in overseeing cybersecurity risks, the Board formed a special working group that is comprised of two members of the Audit Committee to have more frequent and detailed dialogue with executive management (including our COO, CFO, CIO, CISO and VP of Internal Audit) on all areas pertaining to cybersecurity. This working group provides updates on a quarterly basis, or more frequently if necessary, to the Audit Committee. Management also provides the Audit Committee with an annual overview of Kforce’s various lines of insurance that we maintain, including our cybersecurity insurance policy. The Audit Committee provides the Board with quarterly reports on the Firm’s risks and ERM program findings, including cybersecurity risk and data privacy practices. Third-Party Vendor Management Many of our information technology systems and networks are cloud-based or managed by third parties, whose future performance and reliability we cannot control. The risk of a cyberattack or security breach on a third party carries the same risks to Kforce as those associated with our internal systems. We seek to reduce these risks by performing significant vendor due diligence procedures prior to engaging with any third-party vendor who will have access to sensitive data. Additionally, we require annual audits of certain third parties’ information technology processes. As a result, at least in part, of the steps taken by the Firm with respect to our cybersecurity program, to our knowledge, we have not experienced a material breach to date. While all organizations are inherently at risk of cybersecurity threats, we do not believe that cybersecurity threats have affected, or are reasonably likely to materially affect, our business strategy, results of operations or financial condition. However, we routinely face risks of cybersecurity incidents, wholly or partially beyond our control, and there can be no assurance that the security efforts and measures of the Firm and third-party providers will prevent incidents that could adversely affect the Firm’s business. Refer to “Risk Factors Risks Related to Cybersecurity and Technology” in Item 1A. Risk Factors of this report for a discussion of risks from cybersecurity threats that could have a material adverse effect on our business, financial condition and results of operations.

Company Information