AMERICAN PUBLIC EDUCATION INC 10-K Cybersecurity GRC - 2025-03-06

Page last updated on March 6, 2025

AMERICAN PUBLIC EDUCATION INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-06 16:03:04 EST.

Filings

10-K filed on 2025-03-06

AMERICAN PUBLIC EDUCATION INC filed a 10-K at 2025-03-06 16:03:04 EST
Accession Number: 0001201792-25-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our Information Security Efforts Cybersecurity Risk, Management, and Strategy The performance, reliability, and security of the networks and technology infrastructure we use or rely on is critical to our operations, our institutions’ reputation, and our ability to attract and retain students. We have developed what we believe to be a robust cybersecurity program that incorporates a process of identifying and managing cybersecurity risks across the enterprise. As part of our cybersecurity risk management process, we identify risk by reviewing the elements within our technology stack and processes, including a full scan and identification process designed to cover all APEI’s digital and physical assets within the organization, covering hardware, software, data, and personnel. Assets are documented and assessed for their value, factoring in their significance and potential cost if compromised. We conduct a threat assessment for both internal (e.g., employees, contractors, etc.) and external (e.g., hackers, malware, etc.) cybersecurity threats, and we have established plans and actions to detect unauthorized activities. We engage third-party consultants to perform assessments, including annual penetration testing, and we maintain a risk register. The risk register includes documentation of identified risks, the potential impact and likelihood of occurrence, mitigation efforts and the required enterprise level response. Each of the identified risks is given a risk classification from low to high depending on the probability of occurrence and the severity of impact. At least annually, we conduct tabletop exercises to simulate various attacks, enhancing our preparedness against potential threats. These tabletop exercises are conducted with the support of third-party cybersecurity experts. We perform continuous monitoring and detection of our systems, networks, and data repositories for suspicious activities by leveraging a third-party that provides 24x7 comprehensive monitoring of activity that is outside the normal patterns for our day-to-day operations. Our information security team works to stay up to date on threat intelligence through partnerships with outside agencies. We accumulate security event data into our security information and event management, or SIEM, tool that tracks and monitors events providing a comprehensive view of how to respond to various threats. We also have an internal information technology audit team that routinely scans the environment and documents our compliance efforts with regulations and standards that govern our business, such as the Sarbanes-Oxley Act, the Payment Card Industry Data Security Standard (PCI-DSS), the Health Insurance Portability and Accountability Act, FERPA, and the Gramm-Leach-Bliley Act Safeguards Rule. Cybersecurity threats continue to evolve with the use of emerging technologies, such as AI. These threats can disrupt operations, compromise sensitive data, and erode trust. We strive to make sure that employees and contractors are up to date with their responsibility and understand the importance of their contributions to staying cyber secure through a robust training and education program. Employees and contractors are responsible for taking mandated cyber training on an annual basis. We also run phishing exercises on a routine basis to help ensure employees and contractors can recognize and report inappropriate activity and social engineering attempts. We have a process of continuous improvement by incorporating lessons learned from attempted attacks and feedback from phishing exercises, among other learnings. We also have a third-party risk management process pursuant to which new and existing vendors undergo a structured review of their controls and systems, as well as a periodic review from our security team to help ensure vendors protect our data and systems. We seek to require our third-party vendors contractually to maintain a level of security that is acceptable to us. We have not experienced any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or that we believe are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. We maintain specific insurance coverage to mitigate losses associated with certain cybersecurity incidents that impact our or our third parties’ information technology and information systems, but there can be no assurance that coverage would be adequate in relation to any incurred losses. Our cybersecurity risk management process is a standalone process, but it is integrated with and informs our overall enterprise risk management program. 78 Cybersecurity Governance APEI’s Information Security Steering Committee, or the Steering Committee, consisting of the Chief Information Officer, Chief Information Security Officer, Chief Financial Officer, General Counsel, and the Chief Human Resources Officer, provides a level of oversight over our cybersecurity program. The Steering Committee meets quarterly and is briefed, among other things, on our cybersecurity program, how we are mitigating risks, any notable events that occurred, and phishing campaign results. In addition, the Steering Committee reviews the program for the proper funding and staffing of the information technology security department as well as alignment of the program with our strategic objectives. The Steering Committee reviews and ratifies security policies and helps ensure the proper controls are in place and being followed. The Steering Committee is a critical element to review the cybersecurity program against applicable federal and state regulations and its progress for planned improvements. Our Chief Information Officer and Chief Information Security Officer have the primary responsibility for assessing and managing our material risks from cybersecurity threats. Both the Chief Information Officer and Chief Information Security Officer have extensive experience in running and managing a cybersecurity program both in commercial enterprises and government agencies. In assessing and managing our material risks from cybersecurity threats the Chief Information Officer and Chief Information Security Officer utilize real time monitoring tools, alerts, and dashboards, proactively hunt for threats, and assess capabilities through penetration testing and table top exercises, as well as access and utilize third party resources. We have established structured processes and mechanisms, including incident reporting and escalation, and a comprehensive incident response and communication plan, in the event of a cybersecurity incident. These plans consist of internal reporting and communication, including to the Chief Executive Officer, Chief Financial Officer, and General Counsel, and, as appropriate, management, as well as external reporting, including notifying the Board of Directors, and proper agencies as appropriate. The Chief Information Officer and the Chief Information Security Officer report significant risks from cybersecurity threats, the level of risk, and any material cybersecurity incidents to the Board of Directors, as well as annually review with the Board of Directors the budget, utilization of systems, processes, and controls in place to address cybersecurity risks and management. The Chief Information Officer and/or the Chief Information Security Officer update the Board of Directors no less than quarterly on significant developments in these areas. For more information on our information technology investments and their effects on our results of operations, refer to “Management’s Discussion and Analysis of Financial Condition and Results of Operations - Overview,” and for more information regarding risks related to our information technology, refer to “Risk Factors - Risks Related to Our Technology Infrastructure”.

Company Information