HireRight Holdings Corp 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

HireRight Holdings Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 17:18:13 EDT.

Filings

10-K filed on 2024-03-12

HireRight Holdings Corp filed an 10-K at 2024-03-12 17:18:13 EDT
Accession Number: 0001859285-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Information security and data privacy are the foundation of our cybersecurity program. We have a dedicated team of members of management in cross functional roles devoted solely to our cybersecurity strategy, design, implementation, monitoring and continuous improvement. The cybersecurity team collaborates with both internal and external parties in the delivery of network security, anti-malware, email security, endpoint security, detection/alerting, application security, data security, identity and access management, incident response, cybersecurity awareness, vulnerability management, and IT risk and threat intelligence. The cybersecurity team is also responsible for informing management of material events and key developments and coordinating with other teams in information technology, legal and privacy, as appropriate for analysis and compliance with legal and contractual obligations. Certain state laws and regulations impose privacy obligations, as well as obligations to provide notification of security breaches in certain circumstances. We have established policies and standard operating procedures to define and implement our cybersecurity strategy, which includes multiple layers of administrative, operational, technical and physical safeguards used to protect information systems and data. Additionally, we have dedicated internal resources and processes in place for assessing, identifying, and managing material risks from cybersecurity threats, which are integrated into our overall risk management processes. The processes for assessing, identifying and managing material risks from cybersecurity threats, including threats associated with our use of third-party service providers, include identifying the relevant assets that could be affected, determining possible threat sources and threat events, assessing threats based on their potential likelihood and impact, and identifying controls that are in place or necessary to manage and/or mitigate such risks. Our third-party service providers are subject to a screening process, which includes risk and security assessments of the provider s data security protocols and a review of contract terms to verify that privacy laws and consumer data protection regulations are considered and incorporated into the services provided to us. We have implemented internal controls designed to both prevent and detect cyber attacks and continue to review and enhance our internal controls and procedures in response to the heightened risk and occurrence of cyber threats. Our cybersecurity controls, which are the mechanisms in place to prevent, detect and mitigate risks in accordance with our policies and procedures, are designed to satisfy the regulatory requirements to which we are 57 subject and are monitored and tested both internally and externally. We are currently ISO27001 certified and obtain an annual SOC2, Type 2 report from a qualified external auditor attesting to the effectiveness of our key cybersecurity controls. Additionally, we maintain redundant data center capabilities for business continuity and disaster recovery in the event of a cybersecurity incident that impacts the availability of our primary operational platforms. Continuously enhancing our IT environment to meet the increasing needs of cybersecurity and privacy regulations remains a top priority. Incident Response Our cybersecurity strategy includes considerations around incident detection and response. We maintain a current cybersecurity incident response plan to prepare for, detect, respond to, and learn from cybersecurity incidents. The incident response plan includes standard processes for reporting and escalating cybersecurity incidents to senior management. Additionally, we have engaged a leader in third-party security solutions to conduct periodic technical and management tabletop exercises to assist in preparing for and responding to cybersecurity incidents. These preparedness exercises are intended to provide hands-on training for the participants and helps us to assess our processes and capabilities in addressing cybersecurity threats. We maintain documented incident response protocols to ensure immediate and consistent application of our processes in the event of an incident. Management and the Board of Directors are apprised of cybersecurity incidents deemed to have a moderate or higher impact to our business, even if the event is ultimately determined to be immaterial. Governance We employ a governance framework that facilitates awareness, oversight accountabilities and risk management activities across the business. This framework includes oversight by the Privacy and Cybersecurity Committee of our Board of Directors, which reviews the effectiveness of the Company s governance and management of information technology risks, including those relating to business continuity, cybersecurity, regulatory compliance and data management. Members of the Privacy and Cybersecurity Committee have broad ranges of expertise and experience in information technology and security. Our chairman of the committee has over twenty years of experience in the field of information security management, having previously held various management and executive-level positions specializing in data center infrastructure and cloud usage, IT systems, consumer identity systems, and back office platforms, The Audit Committee of our Board of Directors is responsible for oversight of our disclosures with respect to cybersecurity incidents or breaches and related compliance matters. In addition to oversight by our Board of Directors and other committees, management meets at least quarterly to consider cybersecurity threats or incidents and the impact they may have on our results of operations. Cybersecurity threats or incidents are considered on both a stand alone and aggregate basis to properly assess the impact of such events and the need for disclosure on Form 8-K as required by SEC rules requiring public companies to promptly disclose material cybersecurity incidents. To date, the risks from cybersecurity threats, including as a result of any previous immaterial cybersecurity incidents, have not materially affected our business strategy, results of operations, or financial condition.

Company Information