SilverSun Technologies, Inc. 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

SilverSun Technologies, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 15:31:09 EDT.

Filings

10-K filed on 2024-03-14

SilverSun Technologies, Inc. filed an 10-K at 2024-03-14 15:31:09 EDT
Accession Number: 0001185185-24-000237

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The secure processing, maintenance and transmission of sensitive data, including confidential and other proprietary information about our business and our employees, customers, suppliers and business partners, is important to our operations and business strategy. As a result, cybersecurity, data classification and data protection are key components of our long-term strategy. 34 Table of Contents We regularly assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities, and test those systems pursuant to our cybersecurity policies, processes, and practices, which are integrated into our overall risk management program. To protect our information systems from cybersecurity threats, we use various security tools that are designed to help identify, escalate, investigate, resolve, and recover from cybersecurity incidents in a timely manner. Our security operations team ( SOT ), which is comprised of internal security professionals and reports to the Chief Information Officer ( CIO ) of SWK, has first line responsibility for our cybersecurity risk management processes as they relate to day-to-day operations. Our audit and compliance team ( ACT ), which is comprised of a team lead and the CIO, has second line responsibility and works in partnership with our executive leadership team ( ELT ) and other internal teams to coordinate efforts, priorities and oversight. Our ACT assesses cybersecurity threats and risks based on probability and potential impact to key business systems and processes. Threats and risks that can cause major damage or service impact that the ACT considers high are incorporated into our overall risk management program. The ACT develops a mitigation plan for each identified high threat and risk and reports its progress with respect to mitigation of such threats and risks to the Technology Risk Management Committee, which is part of our ELT and consists of both management-level employees and members of the SilverSun board of directors such high-level cybersecurity threats and risks are tracked as part of our overall risk management program. We collaborate with third parties to assess the effectiveness of our cybersecurity incident prevention and response systems and processes as our SOT deems necessary or appropriate. These include cybersecurity assessors, consultants, and other external cybersecurity experts to assist in the identification, verification, and validation of cybersecurity threats and risks, as well as to support associated mitigation plans when necessary. Our SOC Type 2 audit, completed in September 2023, attests to the effectiveness of our security and risk management controls. We have also developed a third-party cybersecurity risk management process to conduct due diligence on external entities critical to our ongoing business operations, including those that perform cybersecurity services. We sponsor a multi-faceted security awareness program that includes regular, mandatory trainings for our personnel on data protection and malware detection, policy and process awareness, periodic phishing simulations and other kinds of preparedness testing including disaster recovery exercises. We maintain a cross-functional cybersecurity incident response plan with defined roles, responsibilities and reporting protocols. This plan, which we evaluate and test on a regular basis, focuses on responding to and recovering from any significant cybersecurity incident as well as mitigating any impact from such incidents on our business. Generally, when a cybersecurity incident or suspected cybersecurity incident is identified, the SOT would escalate the issue to the ACT for initial analysis and guidance. In the event of a significant cybersecurity incident, the ELT would typically be tasked with preparing an initial response. The ELT, with support from the ACT, would be responsible for determining whether a particular cybersecurity incident (alone or in combination with other factors) triggers any reporting or notification responsibilities under applicable law or regulation or pursuant to any contractual obligation. The ACT, in consultation with the ELT and other members of senior management, updates its strategy at least annually to account for changes in our business strategy, legal and regulatory developments across our geographic footprint, the results of our recent EGS initiatives, and further developments in the cybersecurity threat landscape. In addition, we periodically engage a third-party provider to conduct an external assessment of our cybersecurity program. The results of this assessment, which are reported to the board of directors, assist us in determining whether any further changes to our existing policies and practices are warranted. As indicated above, we engage third-party providers to assist us with our cybersecurity risk management and strategy. Some of these providers provide us with ongoing assistance (such as threat monitoring, mitigation strategies, updates on emerging trends and developments and policy guidance) while we engage others to provide targeted assistance (such as security and forensic expertise) as needed. Prior to exchanging any sensitive data or integrating with any key third-party provider, we assess their cybersecurity fitness against our risk posture and request changes as we deem necessary. As of December 31, 2023, we have not identified any risks from cybersecurity threats (including any previous cybersecurity incidents) that have materially affected, or are reasonably likely to materially affect, the Company, including our business strategy, our results of operations or our financial condition. For a discussion of risks from cybersecurity threats that could be reasonably likely to materially affect us, please see our Risk Factors discussion under the headings Risks Relating to our Business - If there are events or circumstances affecting the reliability or security of the internet, access to our website and/or the ability to safeguard confidential information could be impaired causing a negative effect on the financial results of our business operations and Risks Relating to our Business - Computer Malware, Viruses, Hacking, Phishing Attacks and Spamming Could Harm Our Business and Results of Operations in this Form 10-K. 35 Table of Contents Governance Board Oversight . Currently, our board of directors oversees our risk management program, including with respect to material cybersecurity threats and associated risk exposures. The ACT reports to the board of directors semiannually on information security and data privacy and protection. These presentations address a wide range of topics, including trends in cybersecurity threats and the status of initiatives intended to bolster our cyber security systems and the cyber readiness of our personnel. Our board of directors oversees our risk management process, including as it pertains to material risks from cybersecurity threats, directly and through its committees. Board of directors meetings include discussions of specific risk areas throughout the year, including, among others, those relating to cybersecurity threats, and reports from the CIO on our enterprise risk profile on an annual basis. The board of directors reviews our cybersecurity risk profile with management on a periodic basis using key performance and/or risk indicators. These key performance indicators are metrics and measurements designed to assess the effectiveness of our cybersecurity program in the prevention, detection, mitigation, and remediation of cybersecurity incidents. The board of directors plans, however, to delegate to its Audit Committee in the near future specific responsibility for overseeing our risk management program, which focuses on the most significant risks we face in the short-, intermediate-, and long-term timeframe, including specific responsibility for overseeing material cybersecurity risk exposures. Specifically, the Audit Committee will be responsible for establishing risk tolerance guidelines around our cybersecurity posture, risk assessment, strategy and mitigation and for making recommendations related to the protection or privacy of our critical systems and data, and will take over the board of directors functions in this regard as described above. The board of directors will continue to meet, at least annually, with members of our ACT to review and discuss our cybersecurity program, including areas of material risk and how these risks, which may include cybersecurity risk, are being managed and reported to the board of directors and its committees. Management s Role . Our ELT team is composed of several support teams that address and respond to cyber risk, including cyber risks related to security architecture and engineering, identity and access management and security operations. The ACT oversees compliance with our cybersecurity framework within the organization and facilitates cybersecurity risk management activities throughout the organization. The ACT also assists with the review and approval of policies, completes benchmarking against applicable standards, maintains a cyber risk registrar and oversees the security awareness program. Our ACT reports to our CIO. Our CIO reports to our CTO who in turn, reports to our CEO who, in turn, reports to our Board of Directors. Our CIO has 30 years of experience in leading global security functions and strategies. Collectively, the other members of our ACT and SOT relevant education and experience and maintain a wide range of industry certifications. We invest in regular, ongoing cybersecurity training for our ACT and SOT.

Company Information