NATIONAL RESEARCH CORP 10-K Cybersecurity GRC - 2025-03-17

Page last updated on March 17, 2025

NATIONAL RESEARCH CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-17 10:51:43 EDT.

Filings

10-K filed on 2025-03-17

NATIONAL RESEARCH CORP filed a 10-K at 2025-03-17 10:51:43 EDT
Accession Number: 0001437749-25-007867

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have a robust information security program to safeguard our information and systems as well as third parties that create, receive, or transmit our information or are critical to our operations. The controls within the program are constantly updated to adapt to technological advancements, regulatory changes, and operational needs, ensuring that we uphold our strict standards and unwavering commitment to maintaining confidentiality, integrity, and availability of our valuable information assets. Risk management & strategy Our information security program, including cybersecurity risk management is integrated into our overall Enterprise Risk Management Program (“ERMP”) framework. Our ERMP assesses strategic, operational, and environmental factors to identify key and emerging risks across the organization including cybersecurity risks. A key risk matrix is maintained to evaluate the potential impact of key risks and monitor the effectiveness of mitigation and controls. We, our customers, suppliers, and subcontractors face cybersecurity risks such as phishing, ransomware, zero-day exploits, malware attacks, and social engineering attacks. A cybersecurity incident impacting us or our subcontractors could materially adversely affect our performance and results of operations. For more information on about the cybersecurity risks we face, see the factors set forth under the caption “Risk Factors” in Part I, Item 1A of this Annual Report on Form 10-K. Our cybersecurity risk management procedures encompass comprehensive administrative, technical, and physical security measures. Our Security Team meets, subscribes to intelligence sources, and actively participates in professional organizations to stay informed and have reliable access to the latest information on emerging threats and vulnerabilities. We utilize both internal tools and third -party resources to perform risk and vulnerability assessments, as well as penetration testing. This includes a comprehensive managed security service that operates 24/7, dedicated to scanning and analyzing potential threats. Our Contractors and Third Parties Policy requires certain vendors to undergo annual reviews including security assessments and site visits. Additionally, our subcontractor agreements require that they report any security incidents. Risk assessment results and recommendations are documented in our risk register, reported, and closely monitored by our security team. Annually, we engage independent auditors to issue a System and Organization Control (SOC) 2 - Type II report based on their examination of our critical systems used to provide services to our clients for the suitability of design and operating effectiveness of controls. Governance The Board of Directors has the responsibility to oversee our enterprise risk management framework and associated policies and procedures. The Audit Committee of the Board has been assigned the responsibility to inquire of management, the independent accountants and the internal auditor about significant risks and exposures, including risks and exposures relating to data privacy, information security, and cybersecurity, and assess the steps management has taken to minimize such risks and exposures; and to make recommendations to the Board, as and when appropriate, as to the scope, direction, investment levels, and execution of the our data privacy, information security and cybersecurity initiatives . Our Enterprise Risk Management Committee (ERMC), which includes certain associates with data privacy, information security, and cybersecurity experience, supports our Board of Directors in this oversight. The ERMC reports to the Audit Committee of the Board of Directors. The ERMC manages the ERMP and provides regular updates to the Audit Committee regarding our key risks and ERMP developments. Our Vice President of Privacy Compliance also reports to the Audit Committee on a regular basis, providing an Information Security Report, which includes information such as our information system risk profile, our top risk challenges, and security initiatives and strategies. Additionally, the ERMC communicates emerging risks and the mitigation of those risks to the Audit Committee, among other things. Significant cybersecurity matters, and strategic risk management decisions are elevated to the overall Board of Directors to enable oversight and guidance on critical cybersecurity issues. Our Vice President of Privacy Compliance, Jen Spencer, is an ERMC member and has primary responsibility for our Information Security Program, including the maintenance and enforcement of our security policies. Ms. Spencer serves as an advisor to our leadership team, assisting them in optimizing security measures, mitigating risk, fortifying defenses, and minimizing vulnerabilities. Ms. Spencer develops written policies and procedures and conducts training to ensure our entire organization is well-protected. She is responsible for overseeing and executing the strategic plan for our data protection program, information security systems, compliance, computer networks and business continuance/disaster recovery. Additionally, Ms. Spencer actively participates in project management duties and manages information security integration efforts, working closely with internal teams, vendors, subcontractors, and clients. Ms. Spencer has over twenty years in cybersecurity, privacy, and compliance. Her primary job responsibilities include security, privacy, and compliance including AI data governance. Ms. Spencer works on several working groups through H-ISAC, Women in Bio, and Women in AI Governance. Prior to NRC she was the CIO/CISO/CPO for the Rochester RHIO and Manager of Information Security and GRC with Excellus Health Plan. She graduated from Rochester Institute of Technology (RIT) with an eMBA and a master’s in science in IT Security. She earned her paralegal certificate from Stony Brook University and holds several industry certifications. Ms. Spencer is also an adjunct professor at RIT, the University of Virginia and the Blue Ridge Virginia Governor’s School.

Company Information