HireQuest, Inc. 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

HireQuest, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 17:15:47 EDT.

Filings

10-K filed on 2024-03-21

HireQuest, Inc. filed an 10-K at 2024-03-21 17:15:47 EDT
Accession Number: 0001437749-24-008879

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity
Item 1C. Cybersecurity Cybersecurity incidents continue to become more prevalent requiring adequate and and continuous assessment, identification, and management of material risks associated with cybersecurity threats. These risks include, among other things, disruption of our business processes and proprietary software, and potential unwanted disclosure of protected personal information which may cause harm to our employees, and clients, violations of privacy laws and regulations, breach of confidentiality and other contractual obligations, litigation and legal action, and financial and reputational harm. We utilize cybersecurity technologies and established procedures and processes to identify, assess, and manage these material cybersecurity risks. Risk Assessments Our Chief Information Officer ( CIO ) heads our technology team which establishes processes and procedures to assess technology related risks, including cybersecurity risks, to the company. Protections we have in place include regular network monitoring, vulnerability assessments, and tabletop exercises to inform the company of potential risks and mitigation strategies. We also execute enterprise risk management assessments, which include cybersecurity threat risks. Our CIO has reviewed the standards created by the National Institute of Standards and Technology and has incorporated their approaches where appropriate. We conduct internal and external risk assessments. Our Board of Directors has ultimate oversight with respect to cybersecurity. At each regularly scheduled board meeting, the Board discusses the steps the Company has taken to ensure proper security. While we have not experienced material cybersecurity incidents in the past, our policies and procedures require us to inform the Board of any material incident. Ongoing Activities To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and protect against, detect, and respond to cybersecurity incidents, we undertake the following activities: All corporate machines are protected by anti-virus software and enterprise network protection We require two-factor authentication on all corporate machines We require two-factor authentication for all corporate email accounts We require all corporate employees to complete quarterly cybersecurity training provided by a third-party Our CIO and other members of our technology team, proactively monitor all potential risks and immediately respond to threats Our data is backed up in multiple offline air-gapped devices We test all backups quarterly We monitor regulations to ensure our policies and procedures are up-to-date and compliant. Incident Response Our incident response plan identifies the key employees responsible for responding to a cybersecurity incident including our CIO, CLO, CEO, and other executives along with the technology department, and coordinates the activities we take to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. The Company has not experienced incidents in the past which were material to our operating results or business. Third-Party Risk Management Our polices and processes address cybersecurity threat risks associated with the use of third-party service providers, including those who access, use and/or store our client, candidate, associate and employee data or have access to our network and systems. Third-party risks are included within our enterprise risk management assessment program, as well as our information security-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform due diligence on third parties that have access to our systems, data or facilities that house such systems or data. This allows us to identify high-risk providers and continually monitor for cybersecurity threat risks appropriately. Additionally, we require contracts with all third parties that have access to our network and systems to include baseline security requirements for adequate data handling, as well as to provide the company with audit rights. Such contractual requirements are reviewed during each subsequent contract renewal process.

Company Information