Hudson Global, Inc. 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

Hudson Global, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 16:54:41 EDT.

Filings

10-K filed on 2024-03-14

Hudson Global, Inc. filed an 10-K at 2024-03-14 16:54:41 EDT
Accession Number: 0001210708-24-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy. The Company has developed an information security program to address material risks from cybersecurity threats. The program includes policies and procedures that identify how security measures and controls are developed, implemented, and maintained. A risk assessment, based on a method and guidance from a recognized national standards organization, is conducted annually. The risk assessment along with risk-based analysis and judgment are used to select security controls to address risks. During this process, the following factors, among others, are considered: likelihood and severity of risk, impact on the Company and others if a risk materializes, feasibility and cost of controls, and impact of controls on operations and others. Specific controls that are used to some extent include endpoint threat detection and response (EDR), identity and access management (IAM), privileged access management (PAM), logging and monitoring involving the use of security information and event management (SIEM), multi-factor authentication (MFA), firewalls and intrusion detection and prevention, and vulnerability and patch management. Third-party security firms are used in different capacities to provide or operate some of these controls and technology systems, including cloud-based platforms and services. For example, third parties are used to conduct assessments, such as vulnerability scans and penetration testing. The Company uses a variety of processes to address cybersecurity threats related to the use of third-party technology and services, including pre-acquisition diligence, imposition of contractual obligations, and performance monitoring. The Company has a written incident response plan and conducts tabletop exercises to enhance incident response preparedness. Business continuity and disaster recovery plans are used to prepare for the potential for a disruption in technology we rely on. The Company is a member of an industry cybersecurity intelligence and risk sharing organization. Employees undergo security awareness training when hired and annually. The Company has a Governance, Risk, and Compliance (GRC) function to address enterprise risks, and cybersecurity is a risk category addressed by that function. The Company (or third parties it relies on) may not be able to fully, continuously, and effectively implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine the security controls to implement and it is possible we may not implement appropriate controls if we do not recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate risks. And events, when detected by security tools or third parties, may not always be immediately understood or acted upon. Additionally, cybersecurity risks and threats that could have a material impact on the Company are discussed further in the Item 1A Risk Factors. Those sections of Item 1A should be read in conjunction with this Item 1C. Governance. The Global Head of IT is the management position with primary responsibility for the development, operation, and maintenance of our information security program. Responsibilities of this role include management of third-party vendors, ensuring data interactions with outside parties, adhering to IT security best practices, and ensuring that all devices within the Company’s IT infrastructure are appropriately secured and managed. It also encompasses ensuring that all employees are educated in IT best practices around incident management and security, ensuring the security of the internal and external IT systems, as well communicating to senior management and planning for future IT strategy and IT security. The Company has an established Information Security Committee to manage the information security risk assessment framework. This framework includes a defined methodology and tolerable level of risk documented within the Information Security Management System (“ISMS”) and relevant controls addressing business risks. The committee is informed of all security incidents and ensures appropriate remediation activities are implemented. The Company s ISMS are audited by both internal and external parties on a regular basis. Results of audits and material security incidents are presented to the Board of Directors on a quarterly basis.
Item 1C. Governance. The Global Head of IT is the management position with primary responsibility for the development, operation, and maintenance of our information security program. Responsibilities of this role include management of third-party vendors, ensuring data interactions with outside parties, adhering to IT security best practices, and ensuring that all devices within the Company’s IT infrastructure are appropriately secured and managed. It also encompasses ensuring that all employees are educated in IT best practices around incident management and security, ensuring the security of the internal and external IT systems, as well communicating to senior management and planning for future IT strategy and IT security. The Company has an established Information Security Committee to manage the information security risk assessment framework. This framework includes a defined methodology and tolerable level of risk documented within the Information Security Management System (“ISMS”) and relevant controls addressing business risks. The committee is informed of all security incidents and ensures appropriate remediation activities are implemented. The Company s ISMS are audited by both internal and external parties on a regular basis. Results of audits and material security incidents are presented to the Board of Directors on a quarterly basis.

Company Information