ASGN Inc 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

ASGN Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 20:34:36 EST.

Filings

10-K filed on 2026-02-25

ASGN Inc filed a 10-K at 2026-02-25 20:34:36 EST
Accession Number: 0000890564-26-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity A process for assessing, identifying, and managing cybersecurity related risks is integrated into our overall enterprise risk management ("ERM") process. Cybersecurity related risks are included in the risk universe that the ERM process participants evaluate to assess top risks to the Company on an annual basis. The Audit Committee of the Board oversees the ERM annual risk assessment. Furthermore, as a digital innovation and transformation company, we are committed to our ever-evolving cyber protocols that safeguard our people, clients, and data. Every year, we assess our approach to information and physical security, risk management, incident response, business continuity management, and personal data privacy and protection. ASGN takes an enterprise approach to data protection and cybersecurity, focusing on continual process and technology improvements to enable safety, security, and information privacy. All our brands align to the Department of Defense's Cybersecurity Maturity Model Certification ("CMMC") 2.0 framework and have implemented common technology and data protection and cybersecurity controls and 13 processes, which provides a unified approach to our cybersecurity measures. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the CMMC 2.0 framework as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. We have invested in endpoint protection, cloud security, vulnerability management, and data loss prevention, featuring insider threat detection, and we also conduct regular threat actor risk assessments and assess the risk posed by third-party vendors. Further, we conduct penetration tests to detect potential security gaps in cloud and on-premise systems. These tests continuously simulate cyber-attacks across the entire enterprise including physical hardware, network endpoints, and critical applications such as Oracle, SQL, Deltek, web and cloud-based services. We maintain a vigilant approach to cybersecurity and operational readiness, with cybersecurity practices designed to reduce the impact of any incident. We have business continuity and disaster recovery policies and our plans are tested annually to confirm critical business functions can continue with minimal disruption in unforeseen circumstances. Our cybersecurity incident response plan is reviewed and tested through internal and external assessments, including incident response audits, to assess effectiveness and readiness. In addition to these practices, our resiliency framework incorporates annual testing of business continuity and disaster recovery plans, with identified improvements integrated into our operational and security processes. Our resiliency efforts combine cybersecurity, physical security, and data privacy controls to support continuity of operations during disruptive events. Insights gained from these evaluations inform enhancements to our procedures and strengthen our overall ability to respond to and recover from incidents. We conduct regular internal and external audits to adhere to our security policies and procedures and identify improvement areas. Our audits include annual audits conducted by third-party service providers , internal audits, compliance audits, risk assessments, and incident response audits. In addition to these audits, ASGN collaborates with industry partners, law enforcement agencies, and government organizations to share intelligence and best practices related to cybersecurity. This collaboration helps us stay ahead of emerging threats and continuously improve our security posture. We face risks from cybersecurity threats, that if realized, are reasonably likely to materially affect us including our operations, business strategy, results of operations or financial condition. In 2025, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents . See the risk factor related to " The failure to prevent a cybersecurity incident affecting our or third-party systems could result in the disruption of our services or the disclosure or misuse of sensitive information, which could harm our reputation, decrease demand for our services and products, expose us to liability, penalties, and remedial costs, or otherwise adversely affect our financial performance" in Item 1A. Risk Factors. Governance ASGN's data protection and cybersecurity governance structure enables transparency and visibility to key stakeholders: the Company's Board and its Strategy and Technology, and Audit Committees, and the Company's Chief Executive Officer ("CEO"). The Board's Strategy and Technology Committee focuses on technology and cybersecurity, while the Board's Audit Committee reviews data security breaches or other issues. Each committee reports to the full Board regarding its activities, including those related to cybersecurity. The full Board also receives briefings from management on our cyber risk management program. In addition, management updates the Board, where it deems appropriate, regarding cybersecurity incidents it considers to be significant. Board members receive presentations on cybersecurity topics from the Company's Chief Information Security Officer ("CISO"), and external experts as part of the Board's continuing education on topics that impact public companies. Our CISO joined the Company in 2018 in connection with the acquisition of ECS Federal, LLC and has decades of experience in oversight of cybersecurity operations. Two key enabling bodies, ASGN's Enterprise Security Council ("Council") and the Security Operations Center ("SOC"), have primary responsibility for our overall cybersecurity risk management program and provide the structure necessary to set policy and direction as well as operationalize our required security posture. - The Council is led by the CISO and includes the Company's Chief Innovation Officer as well as a dedicated team of Cybersecurity Information Security Professionals, consisting of system engineers and security administrators. The Council members bring a wealth of experience in security operations, business process engineering, software development, enterprise resource planning systems, and the management of multinational wide area networks. The Council reports to the CEO and the Board's Strategy and Technology Committee and its primary mandate is to formulate comprehensive data protection and cybersecurity policies for ASGN, oversee the management of emerging security threats, proactively mitigate security risks, and safeguard our valuable assets. The Company also maintains an Advanced Research Center, which performs continual risk assessments of threat actors, including Advanced Persistent Threats, cybercriminals, and hacktivists, and provides periodic reports to management and our Board committees. - ASGN's Federal Government Segment, plays a vital role in safeguarding ASGN through its essential security control function. Serving as a managed services provider for both clients and internal operations, it oversees the SOC which is dedicated to monitoring, detecting, and responding to cybersecurity threats across our organization. Operating 24 hours a day, seven days a week, our SOC diligently filters system logs, leveraging proprietary AI/ML tools to identify global threats. We conduct continuous active hunts, and forensic analysis inspections on our network, proactively seeking out malware and intrusions. 14

Company Information