LINCOLN EDUCATIONAL SERVICES CORP 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

LINCOLN EDUCATIONAL SERVICES CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 17:28:00 EST.

Filings

10-K filed on 2026-03-02

LINCOLN EDUCATIONAL SERVICES CORP filed a 10-K at 2026-03-02 17:28:00 EST
Accession Number: 0001140361-26-007380

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company recognizes the critical importance of maintaining the safety and security of our systems and data and we take a holistic approach to the oversight and management of cybersecurity and related risks. This approach is supported by our Board of Directors and management who are actively involved in the oversight of our risk management program. The Company's cybersecurity program is designed to protect and preserve the integrity of our networks and systems. Our cybersecurity program includes the following key elements: ● Multi-Layered Defense Technology - We work to protect our computing environments and products from cybersecurity threats through multi-layered defenses and apply lessons learned from our defense and monitoring efforts to help prevent future attacks. We utilize data analytics to detect anomalies and search for cybersecurity threats. ● Cybersecurity Incident Response Plan - We have in place a cybersecurity incident response plan that provides procedures regarding timely response and reporting of cyber incidents. The plan will be tested annually with tabletop exercises. ● Continuous Monitoring and Analysis - We utilize a third-party Security Operations Center that maintains a 24/7 monitoring system and provides comprehensive cyber threat detection and response capabilities which complements the Company's cybersecurity team and leverages the technology, processes and threat detection techniques used to monitor, manage, and mitigate cybersecurity threats. For additional visibility and perspective, we engage with a different third-party security firm for monthly reviews and analyses. From time to time, we engage additional third-party consultants or other advisors to assist in assessing, identifying and/or managing cybersecurity threats including formalized penetration and cybersecurity testing. ● Third Party Risk Assessments - We conduct information security assessments before sharing or allowing the hosting of sensitive data in computing environments managed by third parties, and our standard contracts contain terms and conditions requiring certain security protections. ● Training and Awareness - We provide mandatory monthly awareness training and testing to all employees to help our employees identify, avoid and mitigate cybersecurity threats, including spear phishing and other awareness testing. ● Response Policy - We maintain a data breach response policy defining our incident analysis and response actions. This policy describes our initial actions upon learning of an incident, confirmation steps, notification to affected parties if any, risk mitigation planning, and post incident procedures. ● Cybersecurity Incident Insurance - We maintain cybersecurity incident insurance coverage in amounts that we believe are adequate to address any incidents such as data destruction, extortion, theft, hacking, denial of service attacks and other such incidents. However, the Company may incur expenses and losses related to a cyber incident that are not covered by insurance or that exceed our insurance coverage. Cybersecurity Governance Our Board of Directors oversees our cybersecurity program as part of our enterprise risk management. In connection with such oversight, the Board of Directors receives periodic updates, as appropriate (and no less frequently than annually), from our CIO regarding the Company's cybersecurity risk management processes and the risk trends related to cybersecurity. The Audit Committee assists the Board in its oversight of risks, generally and risks related to cybersecurity. Our cybersecurity team, which maintains our cybersecurity function, is comprised of technology and cybersecurity professionals in the information technology department, and is led by our Chief Information Officer ("CIO") who, prior to joining the Company, held positions as CIO, Chief Technology Officer ("CTO"), and other key leadership positions in the finance, insurance, pension benefits and banking industries. Our CIO reports directly to our Chief Executive Officer and is responsible for management of cybersecurity risk and the protection and defense of our networks and systems through, among other things recommending policies and standard, conducting regular risk assessments and maintaining compliance. Our CIO reports to the Board of Directors twice per year on the status of the Company's cybersecurity risk management processes as well as on the cyber risks and threats that the Company faces and the emerging threat landscape. The cybersecurity team has broad experience and expertise, including in cybersecurity threat assessment and detection, governance, identity and access management, logical security (including cloud, end point and network), security awareness and training, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats and regulatory compliance. As cybersecurity threats may arise, the cybersecurity team focuses on responding to and containing the threat, minimizing any business impact and complying with reporting obligations, as appropriate. To that end, the department maintains a detailed Cybersecurity Incident Response Plan including appropriate notifications should an incident occur. In the event of a perceived threat or possible cybersecurity incident, the cybersecurity team is trained to assess, among other factors, student safety impact, data and personal information impact, the possibility of business operations disruption, projected cost, if any, potential for reputational harm and reporting obligations, with support from external technical, legal and law enforcement support, as appropriate. Cybersecurity Threats While we have experienced minor cybersecurity threats in the past, such as spear phishing or smishing (SMS phishing), to date no such threats have materially affected the Company's business strategy, results of operations, or financial condition. We continue to invest in the cybersecurity and resiliency of our networks and to enhance our internal controls and processes that are designed to help protect our systems and infrastructure and the information contained therein. However, notwithstanding our efforts to protect confidential and personal information, we cannot assume that our systems and facilities will not experience a cybersecurity incident in the future that will materially affect us. Please see Part I, Item 1A, "Risk Factors". 31 Index

Company Information