Sterling Check Corp. 10-K Cybersecurity GRC - 2024-03-06

Page last updated on April 11, 2024

Sterling Check Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-06 17:09:58 EST.

Filings

10-K filed on 2024-03-06

Sterling Check Corp. filed an 10-K at 2024-03-06 17:09:58 EST
Accession Number: 0001645070-24-000029

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. As our technology-enabled background and identity verification services involve the collection and transmission of confidential and sensitive information of our clients and their users and existing and potential employees, managing cybersecurity risks is a key component of our enterprise risk management plan. We have a comprehensive risk management and governance strategy in place to assess, identify and manage cybersecurity risks to our business and our proprietary technology platform. Risk Management and Strategy Our cybersecurity program is designed to protect our information systems from cybersecurity threats and to ensure the confidentiality, integrity and availability of systems and information used, owned or managed by the Company related to our employees, our clients and their users and existing and potential employees. This involves a comprehensive and ongoing effort to protect against, detect and respond to cybersecurity threats and vulnerabilities. Our cybersecurity program includes a number of components, such as: policies, procedures and protocols concerning information security and data protection; regular employee security awareness trainings; regular employee phishing trainings; regular third-party audits of our cybersecurity program; an incident response plan that sets forth the steps to be taken following an actual or suspected cybersecurity incident or other data-related event; periodic tabletop exercises associated with our incident response plan and processes; and tools designed to detect and prevent cybersecurity incidents. As part of our enterprise risk management program, we use the results of both internal and external information security audits, and data associated with our analysis of cybersecurity metrics within our information technology environment to inform and direct our overall cybersecurity strategy. Each year, we engage auditors to perform recognized standard audits related to cybersecurity, including a System and Organization Controls ( SOC ) 2 review to test our information technology system internal controls. In addition, we engage other third-parties, from time to time and on an as needed basis, in the performance of tests and assessments associated with the cybersecurity of our operating environment. We maintain a centrally-managed third-party risk management process that includes a cybersecurity assessment performed during the procurement process and periodically thereafter of third-party service providers that may have access to sensitive information and/or systems, or applications that we have determined to be important to our operations. Material Effects from Risks of Cybersecurity Threats From time to time, we experience data and cybersecurity incidents. To date, we have not experienced any risks from cybersecurity threats (including as a result of prior incidents) that have materially affected or to our knowledge are reasonably likely to materially affect, the Company, including our business strategy, results of operations or financial condition. Any future actual or perceived cybersecurity incidents, including the failure to protect the confidentiality, integrity, availability and privacy of our data and electronic transactions, or any misuse of our information services by our clients, employees, vendors or hackers, could cause significant harm to our business and reputation and result in significant liability. Such liability could include harm to our brand and reputation and cause us to lose existing clients and market share and fail to win new clients, and may require 63 Table of Contents expenditure of significant costs and operational consequences in connection with investigating, mitigating, remediating, eliminating, and putting in place additional measures designed to prevent future actual or perceived cybersecurity incidents. Governance Role of Management Our Technology & Security Team, which is led by our Chief Technology Officer ( CTO ), Ivneet Kaur, oversees our cybersecurity program. Ms. Kaur has over 20-years experience in leading global technology & security teams, including in the financial services and consumer reporting industries. She holds a Masters degree in Engineering Management from the University of College Park, Maryland and a Masters in Software Systems from Kurukshetra University in India. Members of our Technology & Security Team hold industry certifications such as CISSP, Security+, and GIAC. Under our incident response plan, the Technology & Security Team is tasked with identifying and responding to actual or suspected cybersecurity incidents or other data-related events, as well as escalating qualifying incidents and events to a cross-functional leadership team, which includes representation from Technology, Security, Privacy and executive leadership, including our Chief Legal & Risk Officer. The leadership team is responsible for supervising incident response, remediation and compliance with any notification and disclosure obligations with respect to any incidents that have been escalated in accordance with our incident response plan. The Technology & Security Team conducts regular security assessments and employee security awareness trainings and tracks cybersecurity events through the preparation of quarterly status reports and metrics. The team presents these reports and metrics, together with additional internal metrics associated with the status of the Company s cybersecurity program and updates on the status associated with enterprise risk mitigation for technology-based programs, including cybersecurity initiatives, to the Audit Committee of the Board of Directors (the Board ) at least bi-annually. Additionally, the Company s Enterprise Risk Management Team ( ERM Team ), which is responsible for assisting the Company in identifying, assessing, managing, mitigating and reporting on top enterprise risks (including cybersecurity risks), provides updates to the Audit Committee at least bi-annually. Role of the Board of Directors Our Board has delegated responsibility for overseeing our technology, cybersecurity and data privacy programs and controls to the Audit Committee. The Audit Committee evaluates the adequacy of the Company s technology and cybersecurity (including data protection) programs, with the CTO. The CTO provides periodic updates concerning the Company s technology and cybersecurity programs (including data protection) to the full Board on an annual basis.

Company Information