ROBERT HALF INC. 10-K Cybersecurity GRC - 2026-02-13

Page last updated on February 13, 2026

ROBERT HALF INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-13 15:14:17 EST.

Filings

10-K filed on 2026-02-13

ROBERT HALF INC. filed a 10-K at 2026-02-13 15:14:17 EST
Accession Number: 0000315213-26-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As part of the Company's broader information security program, the cybersecurity program includes a defense-in-depth model that uses layered controls to protect against, detect, respond to and recover from cybersecurity incidents ("Incidents"). The Company's cybersecurity program is designed to prioritize detection, analysis and response to known and anticipated cyber threats and effectively manage cyber risks and resilience against Incidents. The Company designs its program using portions of several industry and regulatory frameworks as informative, including the National Institute of Standards and Technology ("NIST") Cybersecurity Framework, NIST 800-53, International Organization for Standardization Information Security Management Systems ("ISO 27001"), the CIS Critical Security Controls and the System and Organization Controls 2 Type 2. Cybersecurity Governance The Company's cybersecurity strategy and risk management is overseen by the Board of Directors (the "Board") and implemented and managed by the Company's Enterprise Information Security Steering Committee, a cross-functional team of senior executives representing business functions across Robert Half and chaired by the Chief Information Security Officer ("CISO"). The CISO oversees the Company's Enterprise Information Security team ("EIS"). Board Governance The Board views cybersecurity as part of the Company's overall enterprise risk management function, which the Board oversees. Cybersecurity is integrated into the Company's business strategy, financial planning and capital allocation. The Board oversees the Company's information security program, which includes oversight of the cybersecurity program and management of cybersecurity risks. The Board receives annual updates from the Company's CISO, and/or members of the executive leadership team. Such reports typically address, among other things, the Company's cybersecurity strategy, initiatives, key security metrics and business response plans. They also cover the evolving cyber threat landscape, and an overview of information technology risks impacting the Company. Management provides notice of potential material Incidents to the Board as set forth in the Cybersecurity Incident Playbook (the "Playbook") and the Cybersecurity Incident Disclosure Control Procedure (the "Cyber Disclosure Procedure"). Management Governance The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by the Enterprise Information Security Steering Committee, led by the CISO . The CISO brings over 15 years of experience building and leading cybersecurity programs and teams. The CISO has experience as a Chief 14 Information Security Officer in multiple industries and has received Certified Information Systems Security Professional and Certification in Risk Management Assurance certifications. The CISO is responsible for the day-to-day management of the cybersecurity program, including designing controls to prevent, detect, investigate and respond to cybersecurity threats and Incidents. The CISO also evaluates the program's effectiveness as threats evolve. Members of the Enterprise Information Security Steering Committee also include the Global Data Privacy Officer, Chief Technology Officer, Chief Administrative Officer, the General Counsel and the Global Risk Officer of Protiviti. Specifically, the Enterprise Information Security Steering Committee typically meets multiple times per year, including impromptu meetings as necessary, to: - Review the cybersecurity threat landscape, risks and data security programs, and the Company's management and strategy for attempting to mitigate cybersecurity risks and Incidents; - Assess compliance with applicable information security laws and industry standards; - Discuss cybersecurity policies, including the guidelines and policies established by the Company, which are designed to assess, monitor and mitigate the Company's significant cybersecurity, technology and information systems' related risk exposures; and - Oversee crisis preparedness plans with respect to cybersecurity, including Incident response preparedness, communication plans and business continuity capabilities. Senior management of many departments in the Company also engage in tabletop exercises in order to test Incident preparedness, review the effectiveness of the Playbook and maintain effective coordination in the event of an Incident. Processes Designed for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats The Cybersecurity Incident Response Team ("CIRT"), which provides technical expertise, and/or the Crisis Management Team ("CMT"), which focuses on business response, impact, business continuity and risk mitigation, work together and utilize a Cybersecurity Incident Response Plan (the "CIRP") and the Playbook to: (1) prepare for and protect against Incidents; (2) detect and analyze Incidents; and (3) contain, eradicate and appropriately report on Incidents. In the event of an Incident, the CIRP provides a framework to coordinate the response. The CIRP and Playbook also address escalation protocols to senior management with respect to disclosure determinations related to an Incident and provides for Executive Team briefings as appropriate. If the CIRT's initial investigation of the facts of an Incident indicates the need for escalation for potential disclosure, the CMT will utilize the process in the Playbook and the Cyber Disclosure Procedure may be utilized. The Playbook provides understandable and flexible processes for analyzing and responding to Incidents. In the event of an Incident, the Playbook provides predefined steps for response and escalation. The Cyber Disclosure Procedure establishes a flexible and context-dependent process for determining whether an Incident constitutes a material Incident pursuant to the rules and regulations of the SEC. A committee of senior management personnel is established to assess potential Incidents. Standing members of the Cyber Disclosure Committee ("CDC") include the President and Chief Executive Officer, Chief Financial Officer, General Counsel, Global Privacy Officer and Chief Technology Officer. When evaluating the materiality of an Incident, the CDC considers both the quantitative and qualitative impacts, including the nature, extent and potential magnitude of the risks to the Company related to the Incident, particularly as it may relate to any compromised information or the scope of Company operations. If the CDC determines the Board should be notified, a meeting will be called with the Executive Committee of the Board, the Audit Committee Chair, the Board's cybersecurity expert or any combination or subset of the foregoing. EIS conducts periodic cybersecurity evaluations of (i) critical third-party providers as risk dictates and (ii) significant new third-party providers prior to onboarding. EIS monitors and manages vulnerabilities in third-party environments through its vulnerability management program. This program aggregates findings from the vulnerability detection and secure configuration management tools within a dashboard, which allows EIS personnel to focus on high-priority matters. EIS maintains a range of security controls, including multi-factor authentication, internal and external penetration testing, cybersecurity assessments, benchmarking, annual employee security training, and social engineering testing. To detect and prevent Incidents, the cybersecurity program uses automated event-detection technology monitored by the cyber defense team, notifications from employees, vendors or service providers, and other tools. The Company has relationships with a number of third-party service providers to assist with Incident response and containment and remediation efforts, including a forensic investigation firm, insurance providers, auditors, consultants, assessors and various law firms. While the Company maintains a robust cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, the Company operates with, and plans for, the notion that it is impossible to prevent or detect all Incidents, that Incidents will occur, and that the Company will not always be able to detect threats in a timely manner or anticipate and implement adequate 15 security measures. For additional information, see Item 1A. "Risks Related to the Company's Information Technology, Cybersecurity and Data Protection." Cybersecurity Risks The Company is not aware of any Incidents or threats during the past fiscal year that met the threshold for materiality under SEC rules. However, the Company and its customers routinely face risks of Incidents, as the Company relies heavily on its information technology systems. Although the Company makes efforts to maintain the security and integrity of the Company's information technology systems, these systems and the proprietary, confidential internal and customer information that resides on or is transmitted through them are subject to the risk of Incidents or disruption, and there can be no assurance that the Company's or its third-party providers' security measures will prevent all breakdowns or Incidents affecting the Company's or the Company's third-party providers' information security environments, software or systems that could adversely affect the Company's business.

Company Information