|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 29, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Management of material risks from cybersecurity threats for Kelly, Kelly subsidiaries, third-party suppliers and vendors occurs as part of the Company’s Enterprise Risk Management ("ERM") program. The Company’s ERM program provides ongoing risk identification, oversight, guidance, and mitigation on various risks, including cybersecurity. The Company has a Chief Information Security Officer ("CISO") responsible for the evaluation and mitigation of cybersecurity risks in coordination with the Company’s information technology, law, risk and insurance, and enterprise risk and compliance groups. These groups work in tandem on cybersecurity and privacy governance, and oversee the Company’s approach to information security, privacy, data governance, and IT infrastructure, which includes internal monitoring to proactively identify potential security threats, maintenance of access controls, asset management, response and recovery activities, and training and awareness programs.
The Company maintains technical and organizational safeguards, including vulnerability assessments, endpoint monitoring, penetration testing, employee training, incident response capability reviews and exercises, cybersecurity insurance and business
continuity mechanisms to protect the Company’s assets and operations. In addition to our internal information security team, we rely on services from various third parties, including a Managed Security Service Provider ("MSSP") and services from an IT solutions organization. To evaluate the effectiveness of these internal and external efforts, Kelly adopted the National Institute of Standards and Technology Cybersecurity framework ("NIST CSF") and is assessed against the NIST CSF by a third-party firm at least annually. We use the assessment, reviews and exercises to ensure that the Company’s information security program and processes for managing material cybersecurity risks are responsive to changes in the threat environment.
We rely upon multiple information technology systems and networks, some of which are web-based or managed by third parties, to process, transmit, and store electronic information and to manage or support a variety of critical business processes and activities. We actively review the risks associated with all third-party service providers at the inception of our relationship with them and on an ongoing basis as part of our information security program and enterprise risk management third-party risk assessment process. These processes include architecture reviews and contractual clauses related to data protection and compliance, SSAE audits and reviews of vendor System and Organization Controls ("SOC") 1 and SOC 2 Type II reports for critical vendors and ongoing monitoring and reporting of vendor security by independent third parties.
Cybersecurity Threats
Although we have not experienced a cybersecurity incident that materially affected our results of operations or financial condition, we periodically experience cyberattacks, which may include the use or attempted use of malware, ransomware, computer viruses, phishing, social engineering schemes, and other means of attempted disruption or unauthorized access. Additionally, the rapid pace of change in information security and cybersecurity threats could result in cyberattacks with little or no notice. Our relationships with third parties, including suppliers we manage, customers, and vendors to whom we outsource or rely on for business processes or software, creates potential avenues for malicious actors to initiate a supply chain attack. Even in instances where we are not the direct target of a malicious actor, we could be exposed to risk due to our relationships and business processes with these third parties.
Despite security measures, unforeseen exploits create an inherent risk of cyberattacks that could materially affect our operations without notice. An event involving the destruction, modification, accidental or unauthorized release, or theft of sensitive information from systems related to our business, or an attack that results in damage to or unavailability of our key technology systems or those of critical vendors (e.g., ransomware), could result in damage to our reputation, fines, regulatory sanctions or interventions, contractual or financial liabilities, additional compliance and remediation costs, loss of employees or customers, loss of payment card network privileges, operational disruptions and other forms of costs, losses or reimbursements, any of which could materially adversely affect our operations or financial condition. Our cyber security and business continuity plans, and those of our third parties with whom we do business, may not be effective in anticipating, preventing, or effectively responding to all potential cyber risk exposures. Our insurance coverage may not be sufficient to cover all such costs or consequences, and there can be no assurance that any insurance that we now maintain will remain available under acceptable terms.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Management of material risks from cybersecurity threats for Kelly, Kelly subsidiaries, third-party suppliers and vendors occurs as part of the Company’s Enterprise Risk Management ("ERM") program. The Company’s ERM program provides ongoing risk identification, oversight, guidance, and mitigation on various risks, including cybersecurity.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our board of directors oversees consideration of strategic risks to the Company as well as management’s actions to address and mitigate those risks and delegate oversight of specific risk topics to relevant board committees. The Company’s CISO, Chief Information Officer ("CIO"), Chief Risk and Privacy Officer, General Counsel, Chief Financial Officer ("CFO"), Chief Executive Officer ("CEO"), and other officers review the Company’s cybersecurity metrics on access controls, asset management, response and recovery activities, training and awareness programs, cybersecurity threats and certain incident information quarterly, and on an ad hoc basis when necessary. The Company's Chief Risk and Privacy Officer, CISO, Vice President of Internal Audit and certain members of this management team and select members from their teams convene monthly to manage cybersecurity and privacy governance. The Chief Risk and Privacy Officer holds similar quarterly reviews with the Audit Committee Chair of the Company's Board of Directors, each committee chair, and other directors including the CEO, CFO, and General Counsel. During these reviews, topics include:
•implementation and third-party evaluation of the Company’s cybersecurity program, including applicable policies, procedures, governance, and adopted risk management framework;
•the impact of cybersecurity and privacy risks on the Company’s services, employees, customers, suppliers, vendors and the staffing industry; and
•information on global regulatory changes and best practices.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company’s CISO, Chief Information Officer ("CIO"), Chief Risk and Privacy Officer, General Counsel, Chief Financial Officer ("CFO"), Chief Executive Officer ("CEO"), and other officers review the Company’s cybersecurity metrics on access controls, asset management, response and recovery activities, training and awareness programs, cybersecurity threats and certain incident information quarterly, and on an ad hoc basis when necessary. The Company's Chief Risk and Privacy Officer, CISO, Vice President of Internal Audit and certain members of this management team and select members from their teams convene monthly to manage cybersecurity and privacy governance. The Chief Risk and Privacy Officer holds similar quarterly reviews with the Audit Committee Chair of the Company's Board of Directors, each committee chair, and other directors including the CEO, CFO, and General Counsel.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company’s CISO, Chief Information Officer ("CIO"), Chief Risk and Privacy Officer, General Counsel, Chief Financial Officer ("CFO"), Chief Executive Officer ("CEO"), and other officers review the Company’s cybersecurity metrics on access controls, asset management, response and recovery activities, training and awareness programs, cybersecurity threats and certain incident information quarterly, and on an ad hoc basis when necessary. The Company's Chief Risk and Privacy Officer, CISO, Vice President of Internal Audit and certain members of this management team and select members from their teams convene monthly to manage cybersecurity and privacy governance. The Chief Risk and Privacy Officer holds similar quarterly reviews with the Audit Committee Chair of the Company's Board of Directors, each committee chair, and other directors including the CEO, CFO, and General Counsel. During these reviews, topics include:
•implementation and third-party evaluation of the Company’s cybersecurity program, including applicable policies, procedures, governance, and adopted risk management framework;
•the impact of cybersecurity and privacy risks on the Company’s services, employees, customers, suppliers, vendors and the staffing industry; and
•information on global regulatory changes and best practices.
In addition to the reports submitted quarterly by the Company’s Chief Risk and Privacy Officer and CISO, the Vice President of Internal Audit independently assesses the Company’s risk management process and separately reports on the effectiveness of
the Company’s risk identification, prioritization, and mitigation processes to the Audit Committee. All board members are kept apprised of its committees’ risk oversight activities through reports from the committee chairs presented at regular Board meetings. The Company utilizes a multi-layered approach to prevent and detect cyber threats and has standard operating procedures relating to the identification, incident response and notification and management escalations for security incidents. In line with those procedures, the Company activates an emergency management team ("EMT"), empowered to make decisions, and respond to critical events including cyber incident mitigation and remediation activities. EMT members for information security incidents would include the CISO, CIO, and Chief Risk and Privacy Officer, additional member from the information technology and ERM teams as well as representation from the General Counsel Office, Finance, Communications and Business Operations as appropriate. While active, the EMT provides regular reports to the CEO, General Counsel and other members of the senior leadership team.
|Cybersecurity Risk Role of Management [Text Block]
|The Company’s CISO, Chief Information Officer ("CIO"), Chief Risk and Privacy Officer, General Counsel, Chief Financial Officer ("CFO"), Chief Executive Officer ("CEO"), and other officers review the Company’s cybersecurity metrics on access controls, asset management, response and recovery activities, training and awareness programs, cybersecurity threats and certain incident information quarterly, and on an ad hoc basis when necessary. The Company's Chief Risk and Privacy Officer, CISO, Vice President of Internal Audit and certain members of this management team and select members from their teams convene monthly to manage cybersecurity and privacy governance. The Chief Risk and Privacy Officer holds similar quarterly reviews with the Audit Committee Chair of the Company's Board of Directors, each committee chair, and other directors including the CEO, CFO, and General Counsel. During these reviews, topics include:
•implementation and third-party evaluation of the Company’s cybersecurity program, including applicable policies, procedures, governance, and adopted risk management framework;
•the impact of cybersecurity and privacy risks on the Company’s services, employees, customers, suppliers, vendors and the staffing industry; and
•information on global regulatory changes and best practices.
In addition to the reports submitted quarterly by the Company’s Chief Risk and Privacy Officer and CISO, the Vice President of Internal Audit independently assesses the Company’s risk management process and separately reports on the effectiveness of
the Company’s risk identification, prioritization, and mitigation processes to the Audit Committee. All board members are kept apprised of its committees’ risk oversight activities through reports from the committee chairs presented at regular Board meetings. The Company utilizes a multi-layered approach to prevent and detect cyber threats and has standard operating procedures relating to the identification, incident response and notification and management escalations for security incidents. In line with those procedures, the Company activates an emergency management team ("EMT"), empowered to make decisions, and respond to critical events including cyber incident mitigation and remediation activities. EMT members for information security incidents would include the CISO, CIO, and Chief Risk and Privacy Officer, additional member from the information technology and ERM teams as well as representation from the General Counsel Office, Finance, Communications and Business Operations as appropriate. While active, the EMT provides regular reports to the CEO, General Counsel and other members of the senior leadership team.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Company has a Chief Information Security Officer ("CISO") responsible for the evaluation and mitigation of cybersecurity risks in coordination with the Company’s information technology, law, risk and insurance, and enterprise risk and compliance groups.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO has over 20 years of experience in information security and security engineering at various technology and staffing companies. The CISO reports directly to the CIO, who has over 30 years of experience serving as Chief Information Officer, Director of IT, and other roles in corporate information technology at staffing and technology companies. In addition, the Company’s Management Team and Cybersecurity and Privacy Governance Team is composed of individuals with collective decades of experience in information technology, data protection, threat response, emergency management, business continuity, and disaster recovery.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Company’s CISO, Chief Information Officer ("CIO"), Chief Risk and Privacy Officer, General Counsel, Chief Financial Officer ("CFO"), Chief Executive Officer ("CEO"), and other officers review the Company’s cybersecurity metrics on access controls, asset management, response and recovery activities, training and awareness programs, cybersecurity threats and certain incident information quarterly, and on an ad hoc basis when necessary. The Company's Chief Risk and Privacy Officer, CISO, Vice President of Internal Audit and certain members of this management team and select members from their teams convene monthly to manage cybersecurity and privacy governance. The Chief Risk and Privacy Officer holds similar quarterly reviews with the Audit Committee Chair of the Company's Board of Directors, each committee chair, and other directors including the CEO, CFO, and General Counsel. During these reviews, topics include:
•implementation and third-party evaluation of the Company’s cybersecurity program, including applicable policies, procedures, governance, and adopted risk management framework;
•the impact of cybersecurity and privacy risks on the Company’s services, employees, customers, suppliers, vendors and the staffing industry; and
•information on global regulatory changes and best practices.
In addition to the reports submitted quarterly by the Company’s Chief Risk and Privacy Officer and CISO, the Vice President of Internal Audit independently assesses the Company’s risk management process and separately reports on the effectiveness of
the Company’s risk identification, prioritization, and mitigation processes to the Audit Committee. All board members are kept apprised of its committees’ risk oversight activities through reports from the committee chairs presented at regular Board meetings. The Company utilizes a multi-layered approach to prevent and detect cyber threats and has standard operating procedures relating to the identification, incident response and notification and management escalations for security incidents. In line with those procedures, the Company activates an emergency management team ("EMT"), empowered to make decisions, and respond to critical events including cyber incident mitigation and remediation activities. EMT members for information security incidents would include the CISO, CIO, and Chief Risk and Privacy Officer, additional member from the information technology and ERM teams as well as representation from the General Counsel Office, Finance, Communications and Business Operations as appropriate. While active, the EMT provides regular reports to the CEO, General Counsel and other members of the senior leadership team.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef