CoreCivic, Inc. 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

CoreCivic, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 16:57:16 EST.

Filings

10-K filed on 2024-02-20

CoreCivic, Inc. filed an 10-K at 2024-02-20 16:57:16 EST
Accession Number: 0000950170-24-017235

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY . Cybersecurity Risk Management and Strategy We recognize the importance of developing, implementing and maintaining the integrity of our information technology systems and safeguarding the personal data and confidential information we receive and store. We have a cybersecurity risk management program in place designed to assess, identify and manage material risks from cybersecurity threats utilizing a defense-in-depth security strategy that integrates our staff, technology and operations to establish various securities barriers across multiple layers and missions of our operations. Our cybersecurity risk management program is designed to employ industry standard practices across our operations and business functions, including monitoring and analysis of the threat environment, vulnerability assessments, and third-party cybersecurity risks; detecting and responding to cybersecurity incidents, attacks and data breaches; cybersecurity preparedness, incident response plans, and business continuity and disaster recovery capabilities; and investments in cybersecurity infrastructure and program needs. Key aspects of our cybersecurity risk management program include, but are not limited to, the following: Surveillance controls and technical protective capabilities, including a centralized security incident event management system, or SIEM, and a third-party continuous monitoring engagement, that monitors threat detection and response 24/7/365; Utilization of third parties to assess our practices related to, and provide expertise and assistance with, various aspects of information security, as further described below; Annual cybersecurity training for all employees, including social engineering (e.g., phishing, vishing, and smishing), privacy and other related topics; Established policies and procedures that govern information security and cybersecurity which apply to all employees and information systems we control; Business continuity, incident response and disaster recovery procedures, including quarterly tabletop incident response exercises, annual disaster recovery tests, annual unannounced penetration tests, annual phishing campaigns, and annual security control assessments; Database activity monitoring, encryption, secure file transfer protocols and application firewalls; and 58 Maintaining cybersecurity insurance covering certain security and privacy damages and claim expenses resulting from cybersecurity incidents (we periodically meet with our insurer to discuss trends in cybersecurity). We engage third parties in connection with assessing, identifying and managing our cybersecurity risks, including, but not limited to, the following: We engage an independent third-party with incident response expertise to provide intelligence-based cybersecurity solutions and services to assist us with preparing for, investigating, and responding to cybersecurity incidents, including attacks that target on premise, cloud, and critical infrastructure environments. We engage an independent third-party service provider to conduct an annual security program assessment of the controls, maturity and performance of our information security program and the information security risks associated with our technology and business systems. We engage an independent third-party service provider to annually perform external and internal penetration and intrusion testing using industry standard tools and techniques. We engage an independent third-party auditor to help ensure compliance with certain information security standards required under some of our federal contracts. We have an established cadence of reviews, reporting and coordination with government agencies to review cybersecurity metrics, findings and any applicable remediation efforts. These agencies conduct assessments of our controls on a periodic basis using the National Institute of Standards and Technology Cybersecurity Framework. We engage a third-party auditor to review processes and procedures designed to control access to information systems as part of its Sarbanes-Oxley testing. In addition to the third parties described above, we regularly engage consultants, advisors, service providers and other third parties to help develop and manage our cybersecurity risk management program. Further, our internal audit team conducts annual assessments of our cybersecurity risk management program and controls. To help identify and manage cybersecurity risks associated with our use of third-party service providers, we have implemented processes to assess third-party systems which could be compromised in a manner that adversely impacts us and our technology systems. We conduct diligence of significant third-party service providers who will have access to our data or information technology systems and incorporate certain cybersecurity protections in our engagement contracts with such providers. In addition, we require such third-party service providers to promptly notify us of any actual or suspected breach impacting our data or operations. We have a risk assessment program in place to assess, identify and manage material risks from cybersecurity threats. Cybersecurity risks we face include cyberattacks, computer viruses, malicious or destructive code (such as ransomware), social engineering (including phishing, vishing and smishing), denial of service or information or security breach tactics as well as attacks to our website, financial applications, operational technology, telecommunications and human resources data. Our cybersecurity risk management program includes technology and processes designed to maintain active security of our information technology systems. We do not believe that any risks we have identified to date from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, we cannot ensure you that future cybersecurity incidents will not materially affect our business strategy, results of operations or financial condition. For more information on the Company s risks associated with cybersecurity threats and incidents, information and security breaches and technology failures, see Part I, Item 1A. Risk Factors - Interruption, delay or failure of the provision of our technology services or information systems, or the compromise of the security thereof, could adversely affect our business, financial condition or results of operations. 59 Governance Our cybersecurity risk management program is integrated into our overall risk management system. Our BOD has a formalized enterprise risk management program, or ERM Program, which the Risk Committee of the BOD, or Risk Committee, on behalf of the BOD and the Audit Committee of the BOD, oversees. Our ERM Program addresses the identification, prioritization and assessment of a broad range of risks (e.g., cybersecurity, financial, operational, business, reputational, governance and managerial), and the formulation of plans to develop and improve controls for managing these risks or mitigating their effects in an integrated effort involving our BOD, relevant committees of the BOD, management, and other personnel. Our ERM Program is led by our General Counsel and is a component of management s strategic planning process. Our BOD and Risk Committee have primary oversight responsibility regarding our cybersecurity risk management program. Our BOD and Risk Committee each receives regular and frequent updates on cybersecurity and information technology matters from management (including our Chief Information Officer, or CIO) and, periodically, from outside experts. For example, the CIO provides reports to our BOD, Technology Steering Committee and Risk Committee regarding cybersecurity risks, as well as plans and strategies to mitigate those risks, on a periodic basis. In addition, our Enterprise Risk Council, or ERC, is a management-level team comprised of a select group of executive officers, vice presidents, and senior managers overseeing risk, which is responsible for managing enterprise risks and planning and organizing the activities of our organization to minimize the effects of risk on our business, operations and financial results. ERC is led by our General Counsel and our Managing Director, Litigation & Risk Management. The ERC coordinates enterprise risk management reports to the Risk Committee and/or our BOD. Further, the Risk Committee reviews management s cybersecurity risk management program controls, including management s assessment of recent cybersecurity incidents meeting certain criteria. We also have a Technology Steering Committee that assists with fulfilling oversight responsibilities of information technology risks, including cybersecurity risks. The Technology Steering Committee is comprised of our executive officers and relevant business leaders from the information security, information technology, legal, human resources, audit, finance, communication and risk functions, and identifies, defines, manages and measures information technology and cybersecurity risks applicable to us on an enterprise level. The Technology Steering Committee meets quarterly, and reviews all cybersecurity risks and incidents meeting certain criteria, and provides oversight with respect to cybersecurity matters at a management level. Further, the Technology Steering Committee reviews management s cybersecurity risk management program controls meeting certain criteria. Our Technology Cybersecurity Committee is comprised of a subset of our Technology Department, including our CIO. The Technology Cybersecurity Committee meets bi-weekly and reviews all cybersecurity risks and incidents meeting certain criteria, provides oversight with respect to cybersecurity matters at a technology management level, and reports through our CIO to the Technology Steering Committee. We also maintain a management governance structure for reviewing and approving changes related to new and existing systems, software and infrastructure design. Any new items that would require a material change must be reviewed and approved by our architecture review board, or ARB. Non-material changes are governed by the change advisory board, or CAB. The ARB and CAB each meet on a weekly basis and take security impacts into consideration during the decision-making process. All changes, whether approved or rejected, are formally documented in our information technology service management system. As mentioned above, our SIEM tool monitors threat detection and response 24/7/365. Identified threats are alerted and addressed by our information technology team in accordance with internal policies, industry standard practices and regulatory requirements. Audit logs of external security threats are reviewed weekly as part of general event threat intelligence monitoring procedures. Other ongoing monitoring includes data from our information services team, which maintains an audit trail to detect risks in areas such as unauthorized local connections, network use and remote connections. Vulnerability scans are performed weekly and are supplemented on an ad-hoc basis for specific threats or to test patch status. 60 Our Director, Information Security Compliance, prepares an incident summary and collaborates with the CIO to conduct an initial assessment of cybersecurity incidents. They perform an impact assessment with respect to cybersecurity incidents meeting certain criteria and elevate the review of any such cybersecurity incidents for review by our executive officers. Cybersecurity incidents meeting a certain criteria are escalated to our Disclosure Committee for SEC disclosure consideration. The materiality of any cybersecurity incident is ultimately evaluated and determined by our Disclosure Committee in collaboration with our CIO. Our Disclosure Committee is comprised of our executive officers, our CIO, our Chief Ethics and Compliance Officer, and relevant business leaders from our finance and legal departments. The Disclosure Committee is presented with a detailed overview of the cybersecurity incident by the CIO. The Disclosure Committee then evaluates the cybersecurity incident and its potential materiality based on SEC guidance and by considering relevant quantitative and qualitative factors. We have also adopted a cybersecurity incident response plan which provides for controls and procedures in connection with cybersecurity incidents, including these escalation procedures. At a management level, our cybersecurity risk management program is led by our CIO, along with our Director, Information Security Compliance. As of the date of this Annual Report, our Technology Department, led by our CIO, along with our Director, Information Security Compliance, is comprised of nearly 100 technology professionals, with currently 11 of such technology professionals exclusively dedicated to cybersecurity. These 11 technology professionals have an average cybersecurity tenure of 13 years and certifications from ISC2, ISACA, CompTIA and other industry certification leaders including CISSP, CISM, CISA, CCNA, CCNP, Network+, Security+, Project+, A+, CEH, CCSP and ITIL, among other advanced Cybersecurity and Technology degrees, tool and process specific certifications and cybersecurity related work experience. Our Technology Department stays current on cybersecurity issues and trends through continuing education activities such as conferences and participating in webinars, maintaining continuous education requirements for certification bodies, as well as through the monitoring of security and vendor feeds on cybersecurity trends and threats.

Company Information