LINCOLN EDUCATIONAL SERVICES CORP 10-K Cybersecurity GRC - 2024-03-04

Page last updated on April 11, 2024

LINCOLN EDUCATIONAL SERVICES CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-04 19:22:19 EST.

Filings

10-K filed on 2024-03-04

LINCOLN EDUCATIONAL SERVICES CORP filed an 10-K at 2024-03-04 19:22:19 EST
Accession Number: 0001140361-24-011175

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We recognize the critical importance of maintaining the safety and security of our systems and data and we take a holistic approach to the oversight and management of cybersecurity and related risks. This approach is supported by our Board of Directors and management who are actively involved in the oversight of our risk management program. Our cybersecurity team, which maintains our cybersecurity function, is comprised of technology and cybersecurity professionals in the information technology department, and is led by our Chief Information Officer ( CIO ), who prior to joining the Company has held positions as CIO, Chief Technology Officer ( CTO ), and other key leadership positions in the travel, finance, internet, engineering, and pharmaceutical industries. Our CIO is responsible for management of cybersecurity risk and the protection and defense of our networks and systems. The cybersecurity team has broad experience and expertise, including cybersecurity threat assessment and detection, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats and regulatory compliance. Like all companies that utilize technology, we face significant cybersecurity threats that include, among other things, attempts to gain unauthorized access to sensitive student and employee information; attempts to compromise the integrity, confidentiality and/or availability of our systems, hardware and networks, and the information on them; insider threats; malware; ransomware; threats to the safety of our directors, officers and employees; and threats to our facilities, infrastructure and service. As cybersecurity threats may arise, the cybersecurity team focuses on responding to and containing the threat and minimizing any business impact, as appropriate. In the event of a perceived threat or possible cybersecurity incident, the cybersecurity team is trained to assess, among other factors, student safety impact, data and personal information impact, the possibility of business operations disruption, projected cost, if any, and potential for reputational harm, with support from external technical, legal and law enforcement support, as appropriate. 35 Index Our Board of Directors, in coordination with our Audit Committee, is responsible for overseeing our enterprise risk management. In connection with such oversight, the Board of Directors receives periodic updates, as appropriate (and no less frequently than annually), from our CIO regarding the Company s cybersecurity risk management processes and the risk trends related to cybersecurity. The Audit Committee assists the Board in its oversight of risks, generally and risks related to cybersecurity. Our approach to cybersecurity risk management includes the following key elements: Multi-Layered Defense Technology We work to protect our computing environments and products from cybersecurity threats through multi-layered defenses and apply lessons learned from our defense and monitoring efforts to help prevent future attacks. We utilize data analytics to detect anomalies and search for cybersecurity threats. Continuous Monitoring and Analysis We utilize a third-party Security Operations Center which maintains a 24/7 monitoring system and provides comprehensive cyber threat detection and response capabilities which complements the Lincoln cybersecurity team and leverages the technology, processes and threat detection techniques used to monitor, manage, and mitigate cybersecurity threats. For additional visibility and perspective, we engage with a different third-party security firm for monthly reviews and analysis. From time to time, we engage additional third-party consultants or other advisors to assist in assessing, identifying and/or managing cybersecurity threats including formalized penetration and cybersecurity testing. Third Party Risk Assessments We conduct information security assessments before sharing or allowing the hosting of sensitive data in computing environments managed by third parties, and our standard contracts contain terms and conditions requiring certain security protections. Training and Awareness We provide monthly awareness training and testing to help our employees identify, avoid and mitigate cybersecurity threats, including spear phishing and other awareness testing. Response Policy We maintain a data breach response policy defining our incident analysis and response actions. This policy describes our initial actions upon learning of an incident, confirmation steps, notification to affected parties if any, risk mitigation planning, and post incident procedures. While we have experienced minor cybersecurity threats in the past, such as spear phishing or smishing (SMS phishing), to date no such threats have materially affected the Company or our financial position, results of operations and/or cash flows. We continue to invest in the cybersecurity and resiliency of our networks and to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information contained therein. We maintain cybersecurity insurance coverage in amounts that we believe are adequate to address any incidents such as data destruction, extortion, theft, hacking, denial of service attacks and other such incidents. For more information concerning the risks that we face from cybersecurity threats, please see Part I, Item IA, Risk Factors . 36 Index

Company Information