Risk Factors Dashboard
Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.
View risk factors by ticker
Search filings by term
Risk Factors - RHI
-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing
Item 1A. Risk Factors
The Company’s cybersecurity strategy and risk management is overseen by the Board of Directors (the “Board”) and implemented and managed by the Company’s Enterprise Information Security Steering Committee, a cross-functional team of senior executives representing business functions across Robert Half and chaired by the Chief Information Security Officer (“CISO”). The CISO oversees the Company’s Enterprise Information Security team (“EIS”). The CISO oversees the Enterprise Information Security team (“EIS”). The Board oversees the Company’s information security program, which includes oversight of the cybersecurity program and management of cybersecurity risks. The Board receives annual updates from the Company’s CISO, and/or members of the executive leadership team. Such reports typically address, among other things, the Company’s cybersecurity strategy, initiatives, key security metrics and business response plans. Such reports typically address, among other things, the Company’s cybersecurity strategy, initiatives, key security metrics, business response plans and the evolving cyber threat landscape and a detailed threat assessment relating to information technology risks. They also cover the evolving cyber threat landscape, and an overview of information technology risks impacting the Company. Management provides notice of potential material Incidents to the Board as set forth in the Cybersecurity Incident Playbook (the “Playbook”) and the Cybersecurity Incident Disclosure Control Procedure (the “Cyber Disclosure Procedure”). The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by the Enterprise Information Security Steering Committee, led by the CISO . The CISO brings over 15 years of experience building and leading cybersecurity programs and teams. The CISO has experience as a Chief
Information Security Officer in multiple industries and has received Certified Information Systems Security Professional and Certification in Risk Management Assurance certifications. The CISO is responsible for the day-to-day management of the cybersecurity program, including designing controls to prevent, detect, investigate and respond to cybersecurity threats and Incidents. The CISO also evaluates the program’s effectiveness as threats evolve.Senior management of many departments in the Company also engage in tabletop exercises in order to test Incident preparedness, review the effectiveness of the Playbook and maintain effective coordination in the event of an Incident. EIS conducts periodic cybersecurity evaluations of (i) critical third-party providers as risk dictates and (ii) significant new third-party providers prior to onboarding. EIS monitors and manages vulnerabilities in third-party environments through its vulnerability management program. This program aggregates findings from the vulnerability detection and secure configuration management tools within a dashboard, which allows EIS personnel to focus on high-priority matters. This program aggregates findings from the vulnerability detection and secure configuration management tools within a dashboard, which allows EIS personnel to focus on high priority matters.
The Company is not aware of any Incidents or threats during the past fiscal year that met the threshold for materiality under SEC rules. However, the Company and its customers routinely face risks of Incidents, as the Company relies heavily on its information technology systems. However, the Company and its customers routinely face risks of cybersecurity incidents, wholly or partially beyond the Company’s control, as the Company relies heavily on information technology systems. Although the Company makes efforts to maintain the security and integrity of the Company’s information technology systems, these systems and the proprietary, confidential internal and customer information that resides on or is transmitted through them are subject to the risk of Incidents or disruption, and there can be no assurance that the Company’s or its third-party providers’ security measures will prevent all breakdowns or Incidents affecting the Company’s or the Company’s third-party providers’ information security environments, software or systems that could adversely affect the Company’s business. Although the Company makes efforts to maintain the security and integrity of the Company’s information technology systems, these systems and the proprietary, confidential internal and customer information that resides on or is transmitted through them, are subject to the risk of a cybersecurity incident or disruption, and there can be no assurance that the Company’s security efforts and measures and those of the Company’s third-14party providers will prevent breakdowns or incidents affecting the Company’s or the Company’s third-party providers’ databases or systems that could adversely affect the Company’s business. 
The Company’s business prospects are subject to various risks and uncertainties that impact its business. The most important of these risks and uncertainties are as follows:
Risks Related to the Company’s Business Environment
Any reduction in global economic activity may harm the Company’s business and financial condition. The demand for the Company’s services, in particular its talent solutions services, is highly dependent upon the state of the economy and upon the staffing needs of the Company’s clients. In the recent past, certain of the Company’s markets experienced economic uncertainty characterized by increasing unemployment, limited availability of credit, significant inflation, and decreased consumer and business spending. In addition, certain geopolitical events, including the ongoing war between Russia and Ukraine, the ongoing unrest throughout the Middle East, and conflict and political instability in parts of South America have caused significant economic, market, political or regulatory uncertainty in some of the Company’s markets. In addition, certain geopolitical events, including the ongoing war between Russia and Ukraine, the war between Israel and Hamas, and the expanding conflict throughout the Middle East have caused significant economic, market, political or regulatory uncertainty in some of the Company’s markets. Any decline in the economic condition or employment levels of the U.S. or of any of the foreign countries in which the Company does business, or in the economic condition of any region of any of the foregoing, or in any specific industry served by the Company may severely reduce the demand for the Company’s services and thereby significantly decrease the Company’s revenues and profits. Further, continued or intensifying economic, political or regulatory uncertainty in the Company’s markets or backlash against U.S.-based companies could reduce demand for the Company’s services.
The Company’s business depends on a strong reputation and anything that harms its reputation will likely harm its results. As a provider of contract and permanent talent solutions as well as consulting services, the Company’s reputation is dependent upon the performance of the employees it places with its clients and the services rendered by its consultants. The Company depends on its reputation and name recognition to secure engagements and to hire skilled employees and consultants. If the Company’s clients become dissatisfied with the performance of those employees or consultants, or if any of those employees or consultants engage in or are believed to have engaged in conduct that is harmful to the Company’s clients, the Company’s ability to maintain or expand its client base may be harmed.
The Company faces risks in operating internationally. The Company depends on operations in international markets for a significant portion of its business. These international operations are subject to a number of risks, including general political and economic conditions in those foreign countries, international hostilities and responses to those hostilities, the burden of complying with various potentially conflicting foreign laws, technical standards, unpredictable changes in foreign regulations, U.S. legal requirements governing U.S. companies operating in foreign countries, legal and cultural differences in the conduct of business, potential adverse tax consequences, and difficulty in staffing and managing international operations. Furthermore, the Company’s operations may be adversely impacted by conflicts between the U.S. government and those of other jurisdictions in which the Company operates. These factors may have a material adverse effect on the performance of the Company’s business. In addition, the Company’s business may be affected by foreign currency exchange fluctuations. In particular, the Company is subject to risk in translating its results in foreign currencies into the U.S. dollar. If the value of the U.S. dollar strengthens relative to other currencies, the Company’s reported income from these operations could decrease.
Natural disasters and unusual weather conditions, pandemic outbreaks, terrorist acts, global political events and other serious catastrophic events could disrupt business and otherwise materially adversely affect the Company’s business and financial condition. With operations in many states and multiple foreign countries, the Company is subject to numerous risks outside of the Company’s control, including risks arising from natural disasters, such as fires, earthquakes, hurricanes, floods, tornadoes, unusual weather conditions, pandemics and other global health emergencies, terrorist acts or disruptive global political events, or similar disruptions that could materially adversely affect the Company’s business and financial performance. Historically, the Company’s operations are dependent on the ability of employees and consultants to travel from business to business and from location to location. Historically, the Company’s operations are heavily dependent on the ability of employees and consultants to travel from business to business and from location to location. Any public health emergencies, including a real or potential global pandemic such as those caused by the avian flu, SARS, Ebola, coronavirus, or even a particularly virulent flu, could decrease demand for the Company’s services and the Company’s ability to offer them. Uncharacteristic or significant weather conditions may increase in frequency or severity due to climate change, which may increase the Company’s expenses, exacerbate other risks to the Company, including from impacts to key suppliers, and affect travel and the ability of businesses to remain open, which could lead to a decreased ability to offer the Company’s services and materially adversely affect the Company’s results of operations. Uncharacteristic or significant weather conditions may increase in frequency or severity due to climate change, which may increase the Company’s expenses, exacerbate other risks to the Company, and affect travel and the ability of businesses to remain open, which could lead to a decreased ability to offer the Company’s services and materially adversely affect the Company’s results of operations. In addition, these events could result in delays in placing employees and consultants, the temporary disruption in the transport of employees and consultants overseas and domestically, the inability of employees and consultants to reach or have transportation to clients directly affected by such events, and disruption to the Company’s information systems. Although it is not possible to predict such events or their consequences, these events could materially adversely affect the Company’s reputation, business and financial condition.
6
Failure to meet evolving and increasingly contradictory expectations for action or inaction on sustainability and ESG commitments and initiatives could harm the Company’s reputation, or otherwise adversely impact the business, financial condition or results of operations. The Company has public sustainability and environmental, social and governance (“ESG”) commitments, including environmental targets validated by the Science Based Target initiative (“SBTi”), designed to have a positive impact on the climate. The Company’s ability to achieve these goals is subject to a multitude of risks that may be outside of the Company’s control. The Company’s failure or perceived failure to achieve ESG- or climate-related goals or maintain ESG-related practices that meet evolving and sometimes contradictory regulatory and stakeholder expectations could harm the Company’s reputation, adversely impact the Company’s ability to attract and retain employees or clients, and expose the Company to increased scrutiny from the media, lawmakers, the investment community and regulators. The Company’s failure or perceived failure to achieve ESG goals or maintain ESG practices that meet evolving stakeholder expectations could harm the Company’s reputation, adversely impact the Company’s ability to attract and retain employees or clients, and expose the Company to increased scrutiny from the investment community and enforcement authorities. The Company’s reputation also may be harmed by the perceptions that clients, employees and other stakeholders, lawmakers and the media have about the Company’s action or inaction on social, ethical or political issues. The Company’s reputation also may be harmed by the perceptions that clients, employees and other stakeholders have about the Company’s action or inaction on social, ethical, or political issues. Damage to the Company’s reputation and loss of brand equity may reduce demand for the Company’s services and thus have an adverse effect on future financial results and reduce the stock price, as well as require additional resources to rebuild the Company’s reputation and restore the value of the brands. Damage to the Company’s reputation and loss of brand equity may reduce demand for the Company’s services and thus have an adverse effect on future financial results, as well as require additional resources to rebuild the Company’s reputation and restore the value of the brands and could also reduce the Company’s stock price. Increasingly, lawmakers, regulators and stakeholders have expressed or pursued ESG legislation and investment expectations with opposing positions and impacts. In recent years anti-ESG and anti-DEI sentiment has gained momentum across the U.S., with several dozen states, Congress and the Executive Branch having proposed or enacted “anti-ESG” and “anti-DEI” policies, legislation, executive orders or initiatives or issued related legal opinions. Meanwhile other states, countries and regions have introduced or enacted broader ESG disclosure or performance compliance obligations. Conflicting regulations, legal and regulatory uncertainty, and a lack of ESG harmonization of legal and regulatory environments across the jurisdictions in which the Company operates has created and, in the future may continue to create, enhanced compliance risks and costs. The Company may also face increasing scrutiny from its clients, candidates, employees, stakeholders, lawmakers and the media relating to the appropriate role of ESG practices and disclosures. Failure to prepare for and meet evolving standards and expectations could result in client dissatisfaction, regulatory penalties, investor backlash and diminished shareholder confidence.
Related to the Company’s Operations
The Company may be unable to find sufficient candidates for its talent solutions business. The Company’s talent solutions services business consists of the placement of individuals seeking employment. There can be no assurance that candidates for employment will continue to seek employment through the Company. Candidates generally seek contract or permanent positions through multiple sources, including the Company and its competitors. There have been periods of historically low unemployment in the U.S. in recent periods during which competition for workers in a number of industries was intense. When unemployment levels are low, finding sufficient eligible candidates to meet employers’ demands is more challenging. Although unemployment has risen in some areas in which the Company operates, talent shortages have persisted in a number of disciplines and jurisdictions. Any shortage of candidates could materially adversely affect the Company.
The Company operates in a highly competitive business and may be unable to retain clients or market share. The talent solutions business is highly competitive and, because it is a service business, the barriers to entry are quite low. There are many competitors, some of which have greater resources than the Company, and new competitors are entering the market all the time. The increased availability and maturation of AI tools may enable clients to use advanced automation capabilities in lieu of services provided by the Company’s contract talent personnel. Therefore, there can be no assurance that the Company will be able to retain clients or market share in the future. Nor can there be any assurance that the Company will, in light of competitive pressures, be able to remain profitable or, if profitable, maintain its current profit margins.
The Company may incur potential liability to employees and clients. The Company’s contract talent solutions business entails employing individuals on a temporary basis and placing such individuals in clients’ workplaces. The Company’s ability to control the workplace environment is limited. As the employer of record of its temporary employees, the Company incurs a risk of liability to its temporary employees for various workplace events, including claims of physical injury, discrimination, harassment or failure to protect confidential or personal information. In addition, in order to facilitate remote working arrangements, some of the Company’s temporary workers are accessing client workspaces from their personal devices through cloud-based systems, which could increase cybersecurity risks to the Company’s clients. If cybersecurity incidents were to occur in such a way, the Company may face legal and contractual liability, reputational damage, loss of business, and other expenses. The Company also incurs a risk of liability to its clients resulting from allegations of damages caused by temporary employees acting on phishing emails, facilitating, allowing or failing to stop cyberattacks, and other errors, omissions or theft by its temporary employees, or allegations of compromise of client confidential information. The Company also incurs a risk of liability to its clients resulting from allegations of damages caused by temporary employees acting on phishing emails and cyber attacks and other errors, omissions or theft by its temporary employees, or allegations of compromise of client confidential information. In some cases, the Company has agreed to indemnify its clients in respect of these types of claims. The Company maintains insurance with respect to many such claims. While such claims have not historically had a material adverse effect on the Company, there can be no assurance that the Company will continue to be able to obtain insurance at a cost that does not have a material adverse effect on the Company or that such claims (whether by reason of the Company not having sufficient insurance or by reason of such claims being outside the scope of the Company’s insurance) will not have a material adverse effect on the Company.
7
Protiviti operates in a highly competitive business and faces competitors who are significantly larger and have more established reputations. As with the Company’s talent solutions services business, the barriers to entry are quite low. There are many competitors, some of which have greater resources than Protiviti and many of which have been in operation far longer than Protiviti. In particular, Protiviti faces competition from the “Big Four” accounting firms, which have been in operation for a considerable period of time and have established reputations and client bases. Because the principal factors upon which competition is based are reputation, technology, tools, project methodologies, price of services and depth of skills of personnel, there can be no assurance that Protiviti will be successful in attracting and retaining clients or be able to maintain the technology, personnel, and other requirements to successfully compete. Because the principal factors upon which competition is based are reputation, technology, tools, project methodologies, price of services, and depth of skills of personnel, there can be no assurance that Protiviti will be successful in attracting and retaining clients or be able to maintain the technology, personnel, and other requirements to successfully compete.
Protiviti’s operations could subject it to liability. The business of Protiviti consists of providing business consulting and internal audit services. Protiviti risks liability from allegations of damages caused by errors, omissions or misconduct by its employees or allegations of compromised client confidential or personal information while working on consulting engagements, or from damages caused by its employees acting on phishing emails and facilitating, allowing or failing to stop cyberattacks while working in a client’s environment. Protiviti risks liability from allegations of damages caused by errors, omissions or misconduct by its employees working on consulting engagements or from damages caused by its employees acting on phishing emails and cyber attacks, or allegations of compromise of client confidential information. In some cases, the Company has agreed to indemnify its clients in respect of these types of claims. Liability could be incurred, or litigation could be, and from time-to-time has been, instituted against the Company or Protiviti for claims related to these activities or to prior transactions or activities. There can be no assurance that such liability or litigation will not have a material adverse impact on Protiviti or the Company.
The Company is dependent on its management personnel and employees, and a failure to attract and retain such personnel could harm its business. The Company is engaged in the services business. As such, its success or failure is highly dependent upon the performance of its management personnel and employees, rather than upon tangible assets (of which the Company has few). There can be no assurance that the Company will be able to attract and retain the personnel that are essential to its success. A failure to retain key management personnel could disrupt the Company’s operations and its succession strategy, hindering a smooth transition to new leadership and potentially disrupting the Company’s operations. A failure to retain key management personnel could disrupt the Company’s succession strategy, hindering a smooth transition to new leadership and potentially disrupting the Company’s operations.
The Company’s results of operations and ability to grow could be materially negatively affected if it cannot successfully keep pace with technological changes impacting the development and implementation of its services and the evolving needs of its clients. The Company’s success depends on its ability to keep pace with rapid technological changes affecting both the development and implementation of its services and the staffing needs of its clients. Technological advances such as AI, machine learning and automation are impacting industries served by all of the Company’s lines of business. Technological advances such as artificial intelligence, machine learning, and automation are impacting industries served by all the Company’s lines of business. In addition, the Company’s business relies on a variety of technologies, including those that support hiring and tracking, order management, billing, and client data analytics. If the Company does not sufficiently invest in new technology and keep pace with industry developments, appropriately implement new technologies, or evolve its business at sufficient speed and scale in response to such developments, or if it does not make the right strategic investments to respond to these developments, the Company’s services, results of operations, and ability to develop and maintain its business could be negatively affected.
The Company uses AI in its provision of services which may result in operational challenges, legal liability, reputational concerns, and privacy, security and competitive risks.The Company uses artificial intelligence in its services which may result in operational challenges, legal liability, reputational concerns and privacy and competitive risks. The Company currently uses and intends to continue using its proprietary AI processes, algorithms and applications, as well as those of third parties in its daily operations for Protiviti and talent solutions, including by deploying generative AI into the Company’s talent solutions search operations. Protiviti has expanded its service offerings to include AI risk analysis, policy creation, governance, and technology selection and architecture. Protiviti expanded its service offerings to include AI risk analysis, policy creation, governance, and technology selection and architecture. The use of AI by talent solutions and provision of AI related services by Protiviti may result in operational challenges, legal liability, reputational concerns, and privacy, security and competitive risks which could result in adverse effects to the Company’s financial condition, results or reputation. The use of AI by talent solutions and provision of AI related services by Protiviti may result in operational challenges, legal liability, reputational concerns and privacy and competitive risks which could result in adverse effects to the Company’s financial condition, results or reputation. Generative AI products and services leverage existing and widely available technologies, such as Chat GPT-4 and its successors, or alternative large language models or other processes. The use of generative AI processes at scale is relatively new and may lead to challenges, concerns and risks that are significant or that the Company may not be able to predict, especially if its use of these technologies in the delivery of its services becomes more important to its operations over time.
Use of generative AI in search operations and services offerings may be difficult to deploy successfully due to operational issues inherent to the nature of such technologies. AI algorithms use machine learning and predictive analytics, which may lead to flawed, biased, and inaccurate candidate and lead generation search results. Datasets used for AI training, development or operations may be insufficient, of poor quality, reflect unwanted forms of bias, or raise other legal concerns (such as concerns relating to intellectual property infringement or data protection). Datasets in AI training, development, or operations may be insufficient, of poor quality, reflect unwanted forms of bias, or raise other legal concerns (such as concerns regarding copyright protections or data protection). Inappropriate or controversial data practices by, or practices reflecting inherent biases of, data scientists, engineers and end-users of the Company’s systems could lead to mistrust, rejection or skepticism of the Company’s services by clients and candidates.
Further, unauthorized use or misuse of AI by the Company’s employees, vendors or others may result in disclosure of confidential company and customer data, reputational harm, privacy law violations, and legal liability. The Company’s use of
8
AI may also lead to novel and urgent cybersecurity risks, including access to or the misuse of personal data, all of which may adversely affect its operations and reputation.
In addition, the Company increasingly relies on third-party technology vendors that regularly deploy new and enhanced AI-enabled features, tools and platforms, often at a rapid pace and with limited advance notice. These technologies in some cases may be made broadly available to employees, including through embedded features in existing enterprise software or low-code or no-code development environments that enable employees to build or customize AI-enabled tools. As a result, the Company may have limited ability to fully evaluate, test, restrict, monitor or govern the security, data handling practices, model behavior, or downstream uses of such AI technologies before or after deployment.
Governance, monitoring and security controls designed to manage the use of AI technologies, including controls related to data access, data retention, model training, prompt inputs and outputs, explainability, auditability and third-party risk management, are evolving and may not mature at the same pace as the deployment of new AI capabilities by vendors. This disparity may increase the risk of unauthorized or unintended use of AI, data leakage, regulatory non-compliance, intellectual property infringement, security vulnerabilities, or inconsistent application of Company policies. The Company may also incur additional costs and operational complexity through attempts to retrofit controls, implement safeguards, restrict access, or discontinue use of certain AI tools after deployment. Any failure to effectively manage these risks could adversely affect the Company’s business, results of operations, financial condition or reputation.
Uncertainty in the legal regulatory regime relating to AI may require significant resources to modify and maintain business practices to comply with U.S. and non-U.S. laws, the nature of which cannot be determined at this time. Several jurisdictions around the globe, including Europe and certain U.S. states, have already proposed or enacted laws governing the use, development and training of AI. For example, the European Union passed the Artificial Intelligence Act in 2024 which contains prescriptive AI regulations and laws, and the Company expects other jurisdictions will adopt similar legislation. Such other jurisdictions may decide to adopt similar or more restrictive legislation, and jurisdictions that have already enacted legislation could elect to enact additional legislation, any of which could render the use of AI challenging, impossible or financially prohibitive.
The demand for the Company’s services related to regulatory compliance may decline. The operations of both the talent solutions business and Protiviti include services related to Sarbanes-Oxley, Anti-Money Laundering Act of 2020 reviews, the Bank Secrecy Act of 1970, as amended, and related anti-money laundering regulations, the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”), the Foreign Corrupt Practices Act of 1977 and other regulatory compliance services. There can be no assurance that there will be ongoing demand for these services. Similarly, from time-to-time proposals are considered by the U.S. Congress to further delay or, in some cases, remove the requirements of Sarbanes-Oxley and the Dodd-Frank Act for a number of public and private companies. Furthermore, the enforcement priorities of U.S. regulators fluctuate from time to time, which may lead to periods of decreased demand for certain of the Company’s regulatory compliance services. These or other similar modifications of the regulatory requirements could decrease demand for Protiviti’s and talent solution’s services.
Long-term contracts do not comprise a significant portion of the Company’s revenue. Because long-term contracts are not a significant part of the Company’s talent solutions business, future results cannot be reliably predicted by considering past trends or extrapolating past results. Additionally, the Company’s clients will frequently enter nonexclusive arrangements with several firms, which the client is generally able to terminate on short notice and without penalty. The nature of these arrangements further exacerbates the difficulty in predicting the Company’s future results.
If the Company does not effectively manage billable rates, the Company’s financial results could suffer. Accurate and strategic pricing represents a key factor in the Company’s financial results. If billable rates are too low, the Company’s service revenues may not cover operational costs, whereas if billable rates are too high, the Company risks hindering client retention and limits competitiveness.
Legal and Regulatory Risks
The Company and certain subsidiaries are defendants in several lawsuits that could cause the Company to incur substantial liabilities. The Company and certain subsidiaries are defendants in several certified or putative class and representative action lawsuits brought by or on behalf of the Company’s current and former employees alleging violations of federal and state law with respect to certain wage and hour related matters. The Company and certain subsidiaries are defendants in several actual or asserted class and representative action lawsuits brought by or on behalf of the Company’s current and former employees alleging violations of federal and state law with respect to certain wage and hour related matters, as well as claims challenging the Company’s compliance with the Fair Credit Reporting Act. The various claims made in one or more of such lawsuits include, among other things, the misclassification of certain employees as exempt employees under applicable law, failure to comply with wage statement requirements, failure to compensate certain employees for time spent performing activities related to the interviewing process (including attending the interviews themselves), and other related wage and hour violations. Such suits seek, as applicable, unspecified amounts for unpaid overtime compensation, penalties and other damages, as well as attorneys’ fees. The Company is defending several claims brought under the California Labor Code Private Attorney
9
General Act (“PAGA”) and which authorizes individuals to file lawsuits to seek civil penalties on behalf of themselves and other employees for alleged labor code violations. It is not possible to predict the outcome of these lawsuits. However, these lawsuits may consume substantial amounts of the Company’s financial and managerial resources and might result in adverse publicity regardless of the ultimate outcome of the lawsuits. In addition, the Company and its subsidiaries may become subject to similar lawsuits in the same or other jurisdictions, or to various other claims, disputes, and legal or regulatory proceedings that arise in the ordinary course of business. An unfavorable outcome with respect to these lawsuits and any future lawsuits or regulatory proceedings could, individually or in the aggregate, cause the Company to incur substantial liabilities or impact its operations in such a way that may have a material adverse effect upon the Company’s business, financial condition or results of operations. Furthermore, any future lawsuits, claims, disputes, or legal or regulatory proceedings may also consume substantial amounts of the Company’s financial and managerial resources and might result in adverse publicity regardless of the ultimate outcome. In addition, an unfavorable outcome in one or more of these cases could cause the Company to change its compensation plans for its employees, which could have a material adverse effect upon the Company’s business.
Government regulations may result in prohibition or restriction of certain types of employment services or the imposition of additional licensing or tax requirements that may reduce the Company’s future earnings. In many jurisdictions in which the Company operates, the employment services industry is heavily regulated. For example, governmental regulations in some countries restrict the length of contracts and the industries in which the Company’s employees may be used. In other countries, special taxes, fees or costs are imposed in connection with the use of its employees. Additionally, trade unions in some countries have used the political process to target the industry in an effort to increase the regulatory burden and expense associated with offering or utilizing temporary staffing solutions.
The countries in which the Company operates may, among other things:
•create additional regulations that prohibit or restrict the types of employment services that the Company currently provides;
•require new or additional benefits be paid to the Company’s employees;
•require the Company to obtain additional licensing to provide employment services; or
•increase taxes, such as sales or value-added taxes, payable by the providers of temporary workers.
Any future regulations may have a material adverse effect on the Company’s business and financial results because they may make it more difficult or expensive for the Company to continue to provide employment services. Additionally, as the Company expands existing service offerings, adds new service offerings or enters new markets, it may become subject to additional restrictions and regulations which may impede its business, increase costs and impact profitability. Additionally, as the Company expands existing service offerings, adds new service offerings, or enters new markets, it may become subject to additional restrictions and regulations which may impede its business, increase costs and impact profitability.
The Company’s business is subject to extensive government regulation and a failure to comply with regulations could harm its business. The Company’s business is subject to regulation or licensing in many states in the U.S. and in certain foreign countries. While the Company has had no material difficulty complying with regulations in the past, there can be no assurance that the Company will be able to continue to obtain all necessary licenses or approvals or that the cost of compliance will not prove to be material. Any inability of the Company to comply with government regulation or licensing requirements could materially adversely affect the Company. Further, changes to existing regulation or licensing requirements could impose additional costs and other burdens or limitations on the Company’s operations. In addition, the Company’s contract talent services business entails employing individuals on a temporary basis and placing such individuals in clients’ workplaces. Increased government regulation of the workplace or of the employer-employee relationship, or judicial or administrative proceedings related to such regulation, could materially adversely affect the Company. In addition, to the extent that government regulation imposes increased costs upon the Company, such as unemployment insurance taxes, there can be no assurance that such costs will not adversely impact the Company’s profit margins. Further, lawsuits or other proceedings related to the Company’s compliance with government regulations or licensing requirements could materially adversely affect the Company. For example, the Company is currently named as a defendant in PAGA litigation in California alleging wage and hour and other labor code compliance issues. It is not possible to predict the outcome of such litigation; however, such litigation or any future lawsuits or proceedings related to the Company’s compliance with government regulation or licensing requirements could consume substantial amounts of the Company’s financial and managerial resources, and might result in adverse publicity regardless of the ultimate outcome of any such lawsuits or other proceedings. An unfavorable outcome with respect to such litigation or any future lawsuits or proceedings could, individually or in the aggregate, cause the Company to incur substantial liabilities that may have a material adverse effect upon the Company’s business, financial condition or results of operations.
10
If the Company fails to comply with Anti-Bribery Laws, anti-forced labor laws or economic sanction regulations, it could be subject to substantial fines or other penalties and reputational harm. In many parts of the world, including countries in which the Company operates and/or seeks to expand, practices in the local business community might not conform to international business standards and could violate the U.S. Foreign Corrupt Practices Act (“FCPA”), the U.K. Bribery Act, and other anti-corruption and anti-bribery laws and regulations (“Anti-Bribery Laws”). These laws generally prohibit companies, their employees and third-party intermediaries from authorizing, promising, offering, providing, soliciting or accepting, directly or indirectly, improper payments or benefits to or from any person whether in the public or private sector. In addition, some of these laws have accounting provisions that require the Company to maintain accurate books and records and a system of internal accounting controls. Any violation of the FCPA or other applicable Anti-Bribery Laws could result in substantial fines, sanctions or civil and/or criminal penalties, debarment from business dealings with certain governments or government agencies or restrictions on the marketing of the Company’s products in certain countries, and damage to the Company’s reputation, which could harm the Company’s business, financial condition or results of operations.
Additionally, the U.S. Department of the Treasury’s Office of Foreign Assets Control and other relevant agencies of the U.S. government administer certain laws and regulations that restrict U.S. persons and in some instances non-U.S. persons from conducting activities, transacting business with or making investments in certain countries, or with certain governments, entities and individuals, subject to U.S. economic sanctions. Similar economic sanctions are imposed by the European Union and other jurisdictions. The Company’s international operations subject it to these and other laws and regulations, which are complex, restrict the Company’s business dealings with certain countries, governments, entities and individuals, and are constantly changing. Penalties for noncompliance with these complex laws and regulations can be significant and include substantial fines, sanctions, or civil and/or criminal penalties, and violations can result in adverse publicity, which could harm the Company’s business, financial condition or results of operations. Penalties for noncompliance with these complex laws and regulations can be significant and include substantial fines, sanctions or civil and/or criminal penalties, and violations can result in adverse publicity, which could harm the Company’s business, financial condition or results of operations.
Although the Company has implemented policies and procedures designed to ensure compliance with Anti-Bribery Laws, U.S. export control laws, economic sanctions, anti-forced labor, and other laws and regulations, the Company cannot be sure that its employees, agents or other third parties will not violate such policies or applicable laws and regulations. Any such violations could result in significant fines and penalties, criminal sanctions against the Company, its officers or its employees, and prohibitions on the conduct of its business, causing material damage the Company’s reputation, brand, business and operating results. Any such violations could result in significant fines and penalties, criminal sanctions against the Company, its officers or its employees, prohibitions on the conduct of its business, and materially damage the Company’s reputation, brand, business and operating results. Further, detecting, investigating and resolving actual or alleged violations is expensive and can consume significant time and attention of the Company’s senior management.
Health care reform could increase the costs of the Company’s contract staffing operations. The Company cannot predict with any certainty the impact of the adoption of any health care reform legislation on the Company’s financial condition or operating results. Whether or not there is alternative health care legislation enacted in the U.S., there is likely to be significant disruption to the health care market in the coming months and years. Consequently, the costs of the Company’s health care expenditures may rise, adversely impacting the Company’s profitability.
The Company could be subject to changes in tax rates, adoption of new U.S. or international tax legislation or tax audits that could result in additional income tax liabilities. The Company is subject to income and other taxes in the U.S. and international jurisdictions. The tax bases and rates of these respective tax jurisdictions change from time to time due to economic and political conditions. Tax accounting involves complex matters and requires judgment to determine the Company’s worldwide provision for income and other taxes and tax assets and liabilities. The Company is routinely subject to tax examinations by the U.S. Internal Revenue Service and other tax authorities. Tax authorities have disagreed, and may disagree in the future, with the Company’s judgments and if its judgments are not sustained as a result of these examinations, the amounts ultimately paid could be materially different from the amounts previously recorded.
In addition, changes in tax laws, treaties or regulations, or their interpretation or enforcement, have become more unpredictable and may become more stringent, which could materially adversely affect the Company’s tax position. A number of countries where the Company does business, including the U.S. and many countries in the European Union, have implemented, and are considering implementing, changes in relevant tax, accounting and other laws, regulations and interpretations. The overall tax environment has made it increasingly challenging for multinational corporations to operate with certainty about taxation in many jurisdictions. For example, the Organization of Economic Cooperation and Development (“OECD”), an international association of many countries, has introduced a framework to impose a 15% global minimum corporate tax, referred to as Pillar Two, effective for tax years beginning in 2024. On January 5, 2026, the OECD released new guidance establishing the Side-by-Side (“SbS”) program under the Pillar Two global minimum tax framework. The SbS program includes a Simplified Effective Tax Rate Safe Harbor, an extended Transitional Country-by-Country Reporting Safe Harbor, and a Substance-based Tax Incentive Safe Harbor. These enacted and proposed changes in tax laws, treaties or regulations, or their interpretation or enforcement could have a material adverse impact on the Company’s current or future tax positions.
11
Risks Related to the Company’s Information Technology, Cybersecurity and Data Protection
Company and third-party computer, technology and communications hardware and software systems and assets (“IT Assets”) are vulnerable to damage, unauthorized access and disruption that could expose the Company to material operational, financial and reputational damage (including the unauthorized access to, or exposure of, personal and confidential information and intellectual property). The Company’s ability to manage its operations using IT Assets successfully is critical to its success and largely depends upon the efficient and uninterrupted operation of its and third parties’ IT Assets, some of which are managed and run by third-party vendors. The Company’s primary IT Assets (and, as a result, its operations) are vulnerable to damage or interruption from power outages, computer, technology and telecommunications failures, computer viruses, security breaches, cyberattacks, catastrophic events, and errors in usage by the Company’s or its vendors’ employees and contractors. The Company’s primary systems (and, as a result, its operations) are vulnerable to damage or interruption from power outages, computer, technology and telecommunications failures, computer viruses, security breaches, catastrophic events, and errors in usage by the Company’s or its vendors’ employees and contractors. In addition, the Company’s IT Assets contain personal and confidential information and intellectual property, including information of importance to the Company and its employees, vendors, contractors and clients. In addition, the Company’s systems contain personal and confidential information and intellectual property, including information of importance to the Company, and its employees, vendors, contractors, and clients.
Cyberattacks, including attacks motivated by the desire for monetary gain or embarrassment, geopolitics, and grievances against the business services industry in general or against the Company in particular, could potentially disable or damage the Company’s IT Assets or those of its vendors or clients, or allow unauthorized access to, or exposure of, intellectual property and personal or confidential information, including information about employees, vendors, candidates, contractors and clients.Cyberattacks, including attacks motivated by the desire for monetary gain, embarrassment, geopolitics, and grievances against the business services industry in general or against the Company in particular, could potentially disable or damage its systems or the systems of its vendors or clients, or allow unauthorized access to, or exposure of, intellectual property and personal or confidential information, including information about employees, vendors, candidates, contractors and clients. The Company’s security tools, controls and practices, including those relating to identity and access management, credential strength, and the security tools, controls and practices of its vendors and clients, may not prevent or detect access, damage or disruption to Company or third-party IT Assets or the unauthorized access to, or exposure of, intellectual property or personal or confidential information. The Company’s security tools, controls and practices, including those relating to identity and access management, credential strength, and the security tools, controls and practices of its vendors and clients, may not prevent or detect access, damage or disruption to Company or third-party computer, technology, and communications hardware and software systems or the unauthorized access to, or exposure of, intellectual property or personal or confidential information. A failure to prevent or detect unauthorized access to Company or third-party IT Assets could expose the Company to material operational, financial and reputational damage. There are many approaches through which such IT Assets or the information stored thereon could be damaged, disrupted, exposed or accessed, including through system vulnerabilities, configuration errors, vendor vulnerabilities, social engineering, cyberattacks (including cyberattacks through the use of AI), improper acquisition and use of user credentials, malfeasance, or the misuse of authorized user access. There are many approaches through which such systems could be damaged or disrupted, or information exposed or accessed, including through system vulnerabilities, configuration errors, vendor vulnerabilities, failing to patch or upgrade systems, social engineering, cyberattacks, improperly obtaining and using user credentials, malfeasance or the misuse of authorized user access.
Periodic and continuous assessments are conducted by the Company on its IT Assets to identify security risks, vulnerabilities, weaknesses or gaps, and a risk-based approach is then employed to address them. This risk-based approach prioritizes risks, vulnerabilities, weaknesses and gaps based on, among other factors, budgetary constraints, impact, likelihood of mitigation and the broader risk landscape.
No security program can offer a guarantee against all potential cyberattacks or other cybersecurity-related incidents. The Company and its third-party vendors experience cybersecurity attacks with increasing frequency, including incidents that have resulted in unauthorized access to the Company’s or its third-party vendors’ IT Assets. To date, no such incidents have been determined to have had a material impact on the Company, but there is no guarantee that such incidents will not have a material impact on the Company in the future. To date, no such incidents have been determined to have had a material impact on the Company.
The Company has transitioned a significant number of its employee population to remote work. This transition has also increased the Company’s vulnerability to cybersecurity-related risks related to the Company’s IT Assets and has exacerbated certain related risks, including risks of phishing and other cybersecurity attacks.
The damage or disruption to Company or third-party systems, or unauthorized access to, or exposure of, intellectual property or personal or confidential information, could harm the Company’s operations, reputation and brand, resulting in a loss of business or revenue. It could also subject the Company to government sanctions, litigation from candidates, contractors, clients and employees, and legal liability under its contracts, resulting in increased costs or loss of revenue. The Company may also incur additional expenses, including the cost of remediating cybersecurity incidents or improving security measures, identifying and retaining replacement vendors, increased insurance premiums, or ransomware payments. The Company may also incur additional expenses, including the cost of remediating incidents or improving security measures, the cost of identifying and retaining replacement vendors, increased costs of insurance, or ransomware payments.
Cybersecurity threats continue to increase in frequency and sophistication (including through the use of AI), thereby increasing the difficulty of detecting and defending against them. Furthermore, the potential risk of cybersecurity breaches and cyberattacks may increase as the Company introduces new service offerings and deploys new AI technologies. Furthermore, the potential risk of security breaches and cyberattacks may increase as the Company introduces new service offerings. Any future events impacting the Company or its third-party vendors that damage or interrupt the Company’s or its third-party vendors’ IT Assets or expose intellectual property or data or other confidential information stored thereon could have a material adverse effect on the Company’s operations, reputation and financial results. Any future events impacting the Company or its third-party vendors that damages or interrupts the Company’s or its third-party vendors’ computer, technology, and communications hardware and software systems or exposes intellectual property or data or other confidential information could have a material adverse effect on our operations, reputation, and financial results.
Changes in data privacy and protection laws and regulations relating to the use and control of personal information (and the failure to comply with such laws and regulations) could increase the Company’s costs or otherwise adversely impact its operations, financial results, and reputation. In the ordinary course of business, the Company collects, uses and retains personal information from its clients, employees, candidates and contractors, including, without limitation, full names, government-issued identification numbers, addresses, phone numbers, birthdates and payroll-related information. The possession and use of personal information in conducting the Company’s business subjects it to a variety of complex and evolving domestic and foreign laws and regulations regarding data privacy.
12
For example, the European Union’s General Data Protection Regulation (“GDPR”), which became effective in May 2018, imposes specific operational requirements on entities that process personal information (including requirements relating to data transfers to certain countries outside the European Union) and strong enforcement mechanisms. In the United States, the California Consumer Privacy Act (the “CCPA”), which became effective in January 2020, limits the collection and use of personal data and mandates that covered companies provide new disclosures to California consumers and afford such consumers new data privacy rights. Under the CCPA, a data breach affecting California residents’ personal information because of a failure to maintain reasonable security procedures and practices can trigger a private right of action lawsuit, and as a result data breach litigation is likely to increase. Many other U.S. states have enacted their own privacy laws that are in some ways similar to, and in other ways different from, the CCPA’s requirements. Compliance with the GDPR, the CCPA and other current and future laws and regulations relating to data storage, use, transfer, residency, privacy and protection has increased and may continue to increase the Company’s operating costs and may require significant management time and attention. Further, any actual or perceived failure by the Company or its subsidiaries to comply with applicable laws could result in litigation, reputational harm, governmental enforcement actions or fines, and other penalties that could potentially have an adverse effect on the Company’s operations, financial results and reputation. An unfavorable outcome with respect to such litigation or any future lawsuits or proceedings could, individually or in the aggregate, cause the Company to incur substantial liabilities that may have a material adverse effect upon the Company’s business, financial condition or results of operations.
Risks Related to the Intellectual Property
The Company may not be able to adequately protect its intellectual property (“IP”) or may be found to infringe upon the IP rights of others, which could harm the value of the Company’s brand and adversely affect its business. The Company utilizes IP, including patents, trademarks, copyrights and trade secrets, in its business, including in the software and AI the Company uses, and in its customer lists. A combination of patent, copyright, trademark and trade secret laws in the jurisdictions in which the Company operates are critical to protecting these IP rights. However, these laws may not be adequate to protect the Company’s IP from being challenged, invalidated, infringed, diluted or misappropriated. While the Company enters into confidentiality agreements with employees, consultants and partners, such agreements may not be effective in preventing unauthorized disclosure or use of its proprietary information. If such disclosures occur, the Company may not have adequate remedies.
Moreover, while it is the Company’s policy to protect and vigorously defend its IP rights, it cannot predict whether steps taken by it will be adequate to prevent misappropriation of these rights or the use by others of the Company’s IP. IP disputes and proceedings and infringement claims may result in a significant distraction for management and significant expense, which may not be recoverable regardless of whether the Company is successful. Such proceedings may be protracted with no certainty of success, and an adverse outcome could subject the Company to liabilities, force it to cease use of certain trademarks or other IP, or force it to enter into license agreements on terms which may not be favorable to the Company. Any one of these occurrences may have an adverse effect on the Company’s business, profitability, results of operation and financial condition.
The Company uses open-source software in connection with its software development, which could negatively affect its ability to operate its business and subject the Company to litigation or other actions. The Company uses and may continue to use open-source software in connection with the development and operation of its platforms. Open-source software is generally licensed under open-source licenses, which could subject the Company to unfavorable conditions, including requiring it to make publicly available the source code for any modifications or derivative works the Company develops using the open-source software. The Company may face claims demanding the release of software it developed that incorporates open-source software, which could include its source code, or otherwise seeking to enforce the terms of underlying license. Litigation could be costly for the Company to defend and could require it to devote additional research and development resources to change the Company’s platforms. Further, open-source licensors typically do not provide warranties or controls regarding the origin or security of the software and related support from the licensor is often unavailable. Therefore, the Company cannot be sure that the authors of the open-source software it uses will implement or offer updates to address security risks or will not abandon further development and maintenance. Many risks associated with usage of open-source software cannot be eliminated, and may, if not effectively addressed, negatively affect the Company’s operations, reputation and financial results.
Risks Associated With the Effects of Climate Change
The Company may be adversely affected by global climate change or by legal, regulatory or market responses to such change. The physical effects of climate change could have a material adverse effect on the Company’s operations and business. The physical effects of climate change could have a material adverse effect on our operations and business. To the extent climate change causes changes in weather patterns, certain regions where the Company operates could experience increases in storm intensity, extreme temperatures, wildfires, rising sea-levels and/or drought. Over time, these conditions could result in increases in the Company’s operating costs or business interruptions. Over time, these conditions could result in increases in our operating costs or business interruptions. For example, the Company’s headquarters are located in areas of California where the incidence of wildfire has increased over time and may continue to increase. For example, our headquarters is located in an area of California where the incidence of wildfire has increased over time and may continue to increase. In addition, in 2023 the Company established certain emissions targets and other environmental goals and submitted them for validation to the SBTi. Failure to achieve such goals, or a perception (whether valid or invalid) of failure to achieve such goals, could result in market, reputational, regulatory or liability risks, client dissatisfaction, reduced revenue and profitability, or shareholder
13
lawsuits. If the Company is unable to achieve its environmental goals, the Company’s business and reputation may be adversely affected. If the Company is unable to achieve our environmental goals, our business and reputation may be adversely affected. There can be no assurance that climate change will not have a material adverse effect on the Company’s properties, operations or business. There can be no assurance that climate change will not have a material adverse effect on our properties, operations or business.
General Risks
Failure to maintain adequate financial and management processes and controls could lead to errors in the Company’s financial reporting. If the Company’s management is unable to certify the effectiveness of its internal controls or if its independent registered public accounting firm cannot render an opinion on the effectiveness of its internal control over financial reporting, or if material weaknesses in the Company’s internal controls are identified, the Company could be subject to regulatory scrutiny and a loss of public confidence. In addition, if the Company does not maintain adequate financial and management personnel and processes and controls, it may not be able to accurately report its financial performance on a timely basis, which could cause its stock price to fall.
Failure to identify and respond to risk issues in a timely manner could have a material adverse effect on the Company’s business. Although the Company has processes in place to attempt to identify and respond to risk issues in a timely manner, the Company’s efforts may not be sufficient.
The collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance and responsible business behavior has a huge effect on timely escalation of risk issues, particularly those affecting core operations. The Company’s processes, corporate culture and general ethical climate may not be sufficient to ensure timely identification and escalation of significant risk issues.
Item 1B. Unresolved Staff Comments
Not applicable.
Item 1C. Cybersecurity
As part of the Company’s broader information security program, the cybersecurity program includes a defense-in-depth model that uses layered controls to protect against, detect, respond to and recover from cybersecurity incidents (“Incidents”). The Company’s cybersecurity program is designed to prioritize detection, analysis and response to known and anticipated cyber threats and effectively manage cyber risks and resilience against Incidents. The Company’s cybersecurity program is designed to prioritize detection, analysis and response to known and anticipated cyber threats and effective management of cyber risks and resilience against cybersecurity incidents. The Company designs its program using portions of several industry and regulatory frameworks as informative, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, NIST 800-53, International Organization for Standardization Information Security Management Systems (“ISO 27001”), the CIS Critical Security Controls and the System and Organization Controls 2 Type 2.
Cybersecurity Governance
Board Governance
The Board views cybersecurity as part of the Company’s overall enterprise risk management function, which the Board oversees. Cybersecurity is integrated into the Company’s business strategy, financial planning and capital allocation.
Management Governance
14
Members of the Enterprise Information Security Steering Committee also include the Global Data Privacy Officer, Chief Technology Officer, Chief Administrative Officer, the General Counsel and the Global Risk Officer of Protiviti.
Specifically, the Enterprise Information Security Steering Committee typically meets multiple times per year, including impromptu meetings as necessary, to:
•Review the cybersecurity threat landscape, risks and data security programs, and the Company’s management and strategy for attempting to mitigate cybersecurity risks and Incidents;
•Assess compliance with applicable information security laws and industry standards;
•Discuss cybersecurity policies, including the guidelines and policies established by the Company, which are designed to assess, monitor and mitigate the Company’s significant cybersecurity, technology and information systems’ related risk exposures; and
•Oversee crisis preparedness plans with respect to cybersecurity, including Incident response preparedness, communication plans and business continuity capabilities.
Processes Designed for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats
The Cybersecurity Incident Response Team (“CIRT”), which provides technical expertise, and/or the Crisis Management Team (“CMT”), which focuses on business response, impact, business continuity and risk mitigation, work together and utilize a Cybersecurity Incident Response Plan (the “CIRP”) and the Playbook to: (1) prepare for and protect against Incidents; (2) detect and analyze Incidents; and (3) contain, eradicate and appropriately report on Incidents. In the event of an Incident, the CIRP provides a framework to coordinate the response. In the event of a cybersecurity incident, the CIRP provides a framework to coordinate the response. The CIRP and Playbook also address escalation protocols to senior management with respect to disclosure determinations related to an Incident and provides for Executive Team briefings as appropriate. The CIRP also addresses escalation protocols to senior management with respect to disclosure determinations related to a cybersecurity incident and provides for Executive Team briefings as appropriate. If the CIRT’s initial investigation of the facts of an Incident indicates the need for escalation for potential disclosure, the CMT will utilize the process in the Playbook and the Cyber Disclosure Procedure may be utilized.
The Playbook provides understandable and flexible processes for analyzing and responding to Incidents. In the event of an Incident, the Playbook provides predefined steps for response and escalation.
The Cyber Disclosure Procedure establishes a flexible and context-dependent process for determining whether an Incident constitutes a material Incident pursuant to the rules and regulations of the SEC. A committee of senior management personnel is established to assess potential Incidents. Standing members of the Cyber Disclosure Committee (“CDC”) include the President and Chief Executive Officer, Chief Financial Officer, General Counsel, Global Privacy Officer and Chief Technology Officer. Standing members of the Cyber Disclosure Committee (“CDC”) include President and Chief Executive Officer, Chief Financial Officer, General Counsel, Global Privacy Officer and Chief Technology Officer.
When evaluating the materiality of an Incident, the CDC considers both the quantitative and qualitative impacts, including the nature, extent and potential magnitude of the risks to the Company related to the Incident, particularly as it may relate to any compromised information or the scope of Company operations. If the CDC determines the Board should be notified, a meeting will be called with the Executive Committee of the Board, the Audit Committee Chair, the Board’s cybersecurity expert or any combination or subset of the foregoing.
EIS maintains a range of security controls, including multi-factor authentication, internal and external penetration testing, cybersecurity assessments, benchmarking, annual employee security training, and social engineering testing. To detect and prevent Incidents, the cybersecurity program uses automated event-detection technology monitored by the cyber defense team, notifications from employees, vendors or service providers, and other tools. To detect and prevent cybersecurity incidents, the cybersecurity program uses automated event-detection technology monitored by the cyber defense team, notifications from employees, vendors or service providers and other tools. The Company has relationships with a number of third-party service providers to assist with Incident response and containment and remediation efforts, including a forensic investigation firm, insurance providers, auditors, consultants, assessors and various law firms. While the Company maintains a robust cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, the Company operates with, and plans for, the notion that it is impossible to prevent or detect all Incidents, that Incidents will occur, and that the Company will not always be able to detect threats in a timely manner or anticipate and implement adequate
15
security measures. For additional information, see Item 1A. “Risks Related to the Company’s Information Technology, Cybersecurity and Data Protection.”
Cybersecurity Risks
Recently Filed
Click on a ticker to see risk factors
| Ticker * | File Date |
|---|---|
| HTH | an hour ago |
| HASI | an hour ago |
| OSCR | an hour ago |
| HCSG | an hour ago |
| MTH | an hour ago |
| MORN | an hour ago |
| DOV | an hour ago |
| PLD | an hour ago |
| CPS | an hour ago |
| EQR | an hour ago |
| VRTX | an hour ago |
| JPM | an hour ago |
| NEE | an hour ago |
| WY | an hour ago |
| HR | an hour ago |
| AON | an hour ago |
| ROKU | an hour ago |
| KMI | an hour ago |
| FROG | an hour ago |
| VRT | an hour ago |
| EXAS | an hour ago |
| UBER | an hour ago |
| AMGN | an hour ago |
| TRUP | an hour ago |
| NTGR | an hour ago |
| INSP | an hour ago |
| LEA | 2 hours ago |
| AAP | 2 hours ago |
| LSCC | 2 hours ago |
| NWL | 2 hours ago |
| TRIP | 2 hours ago |
| OM | 2 hours ago |
| WAB | 2 hours ago |
| TEX | 2 hours ago |
| RHI | 2 hours ago |
| GPI | 3 hours ago |
| HBAN | 3 hours ago |
| FCX | 3 hours ago |
| AGCO | 3 hours ago |
| PII | 3 hours ago |
| CHRW | 3 hours ago |
| CSL | 3 hours ago |
| WEX | 3 hours ago |
| ATMU | 4 hours ago |
| MHO | 4 hours ago |
| ITW | 4 hours ago |
| SXT | 4 hours ago |
| AXTA | 4 hours ago |
| TROW | 5 hours ago |
| DCH | 5 hours ago |
