CNS AR24 Digital - Book - Page 36
We also use third-party service providers to perform a variety of functions throughout our business, such as application
providers, hosting companies and supply chain resources. We maintain a risk-based approach to identifying and overseeing
cybersecurity risks and vulnerabilities presented by our engagement of third parties, as well as the information systems of
third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party
systems. Our vendor risk management program may involve different assessments designed to help identify cybersecurity
risks including: (i) vendor risk assessments; (ii) security questionnaires; (iii) vendor audits; (iv) vulnerability scans relating to
vendors; (v) security assessment calls with the vendor9s security personnel and our review of the vendor9s written security
program, security assessments and other reports; (vi) evidence of cybersecurity preparedness through a System and
Organization Controls (SOC) 1 or SOC 2 report; and (vii) the imposition of contractual obligations on the vendor.
For a description of the risks from cybersecurity threats that may materially affect the Company, see our risk factors
under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including under the caption
