Mastech Digital, Inc. 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

Mastech Digital, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 08:01:24 EDT.

Filings

10-K filed on 2024-03-15

Mastech Digital, Inc. filed an 10-K at 2024-03-15 08:01:24 EDT
Accession Number: 0001193125-24-068609

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Mastech Digital, Inc. recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. Managing Material Risks & Integrated Overall Risk Management The Company has strategically integrated cybersecurity risk management into its broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. In 2022, we improved this integration by hiring a senior executive to assume the responsibilities of both the Chief Information Officer ( CIO ) and Chief Information Security Officer ( CISO ) roles within our organization. Thus, our risk management team is 100% aligned to our IT department to continuously evaluate and address cybersecurity risks within the Company s business objectives and operational needs. Engage Third-parties on Risk Management Recognizing the complexity and evolving nature of cybersecurity threats, Mastech Digital, Inc. engages with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaboration with these third parties includes regular audits, threat assessments, and consultation on security enhancements. We have recently partnered with a cybersecurity company that specializes in third party-vendor risk management. Oversee Third-party Risk Because we are aware of the risks associated with third-party service providers, Mastech Digital, Inc. implements stringent processes to oversee and manage these risks. We conduct thorough security assessments of all third-party providers before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. The monitoring includes quarterly assessments by our CIO / CISO and on an ongoing basis by our security engineers. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third-parties. Risks from Cybersecurity Threats During 2022, we experienced a cybersecurity breach involving a single employee email account which indirectly impacted two Mastech InfoTrellis clients. Our security team identified the point of entry, decommissioned the affected laptop and email address, and changed email logins and passcodes for this email account. As a result of this incident, we engaged external advisors to validate our findings and remedial action steps. As part of this engagement, these advisors assisted us with a forensic analysis to determine whether any personally identifiable information ( PII ) was compromised as a result of this breach. For any such PII data determined to have been compromised, our advisors assisted us in determining the appropriate compliance steps. Governance The Board of Directors is acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Board has established robust oversight mechanisms to ensure effective governance in 26 Table of Contents managing risks associated with cybersecurity threats because we recognize the significance of these threats to our operational integrity and stakeholder confidence. Board of Directors Oversight The Audit Committee is central to the Board s oversight of cybersecurity risks and bears the primary responsibility for this domain. The Audit Committee is composed of board members with diverse expertise including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively. Management s Role Managing Risk Our CIO / CISO and the Chief Executive Officer ( CEO ) play a pivotal role in informing the Audit Committee on cybersecurity risks. They provide comprehensive briefings to the Audit Committee on a regular basis, with a minimum frequency of twice per year. These briefings encompass a broad range of topics, including: Current cybersecurity landscape and emerging threats Status of ongoing cybersecurity initiatives and strategies Incident reports and learnings from any cybersecurity events and Compliance with regulatory requirements and industry standards. In addition to our scheduled meetings, the Audit Committee, CIO / CISO and CEO maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on any significant developments in the cybersecurity domain, ensuring the Board s oversight is proactive and responsive. The Audit Committee actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures that cybersecurity considerations are integrated into the broader strategic objectives of Mastech Digital, Inc. The Board of Directors conducts an annual review of the company s cybersecurity posture and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework. Risk Management Personnel Primary responsibility for assessing, monitoring, and managing our cybersecurity risks rests with our CIO / CISO, Mr. Philippe Bourdon. With over 20 years of experience in the field of cybersecurity, Mr. Bourdon brings a wealth of expertise to his role as the Company s CIO / CISO. His background includes extensive experience as an enterprise CISO and is well-recognized within the industry. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our CIO / CISO oversees our governance programs, tests our compliance with standards, remediates known risks, and leads our employee training program. Monitor Cybersecurity Incidents The CIO / CISO is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The CIO / CISO implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the CIO / CISO is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. 27 Table of Contents Reporting to Board of Directors The CIO / CISO, in his capacity, regularly informs the Chief Financial Officer (CFO) our General Counsel as well as the Chief Executive Officer (CEO) of all aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing Mastech Digital, Inc. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the Board of Directors, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues. 28 Table of Contents

Company Information