VERINT SYSTEMS INC - (VRNT)
10-K Filing Date: March 27, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Verint takes steps to protect our data and third-party data we receive from our customers through the implementation of technological and organizational measures designed to reduce the risk from cybersecurity threats, including data theft or destruction.
Under the oversight of the Board of Directors, we regularly undertake enterprise risk assessments and have implemented policies, procedures, and programs designed to help manage the risks to which we are exposed in our business, including cybersecurity risks. As part of our enterprise risk management process, we have implemented a risk-based approach to identify and assess the cybersecurity threats that could affect our business and information systems, as well as the systems of third parties on whom we rely, such as our cloud hosting partners. Our cybersecurity program is designed to assess, identify, and manage material risks and vulnerabilities to our security posture, including prioritizing and remediating cybersecurity risks. Our program calls for, among other things:
•incorporation of cybersecurity in our overall enterprise risk management processes, including periodic enterprise risk assessments and tools used to track and monitor risks;
27
•regular reviews of cybersecurity risks and mitigation efforts specifically;
•use of software and hardware tools and services to help safeguard our systems and product offerings;
•certifications or conformance for certain products and services; and
•assessments designed to help identify cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment.
Core security operational and engineering functions, along with third-party supplier security assessments, are managed by our internal security employees. Third-party consultants are engaged to perform assessments of our cybersecurity program, and for security incident response where impact and materiality reach a critical threshold.
In addition, we provide an employee information security training program to educate employees on various cybersecurity risks and mitigation strategies. We also maintain policies and processes governing our third-party security risks. As part of these processes, we gather information from certain third parties who contract with us and share or receive data, or have access to or integrate with our systems, in order to help us assess potential risks associated with their security controls. We also generally require certain third parties to, among other things, maintain security controls to protect our confidential information and data, and notify us of certain data breaches that may impact our data.
We have experienced cybersecurity incidents in the past and expect to continue to experience them in the future. We do not believe that any past cybersecurity incidents have had a material adverse effect on our business, operations, or financial condition. However, there can be no assurance that our cybersecurity risk management program will prevent or mitigate a cybersecurity threat or incident, and it is possible that such events could occur, and could have a material adverse effect on our business, operations, or financial condition in the future. See the “Risk Factors” in Part I, Item 1A of this report for further discussion of the cybersecurity and related risks we face.
Governance
Verint’s cybersecurity program is overseen by our Chief Information Security Officer (“CISO”), whose team is responsible for managing and executing on our cybersecurity strategy, policy, standards, architecture, and processes, including as described above. Our CISO has over 25 years of leadership experience in IT and cybersecurity and maintains an industry leading cybersecurity certification. Verint’s overall cybersecurity team holds relevant skills training and certifications based on their specific focus areas, such as security operations, cyber risk management, and data security. Our cybersecurity team is regularly trained to combat current and emerging threats. Verint maintains and operates a 24x7 security operations center “SOC” that monitors all aspects of our security infrastructure. Verint’s SOC executes our security incident response plan inclusive of identification, mitigation, remediation, and recovery processes. These processes govern assessment of materiality and impact, along with management of communications, response, and recovery plans. Our CISO reports to our Chief Administrative Officer (“CAO”) and provides regular reports on our cybersecurity program to the CAO and other members of our senior management team.
The Board of Directors oversees risk management and compliance generally, including information security and cybersecurity. The Audit Committee of our Board of Directors has primary responsibility for supervising our cybersecurity program on behalf of the Board consistent with the requirements of its charter, including with respect to risk management, risk assessment, oversight of management’s activities and expertise, and disclosure controls and procedures; however, the full Board is briefed regularly throughout the year. As part of the cybersecurity oversight by the Audit Committee and our Board of Directors, our CAO provides formal reports to the Board (including to all members of the Audit Committee) at least quarterly. These reports include updates on our cyber risks and threats, information security systems, and information security program. In addition, our CAO and CISO also meet directly with members of the Audit Committee on an ad hoc basis to discuss and seek guidance on our cybersecurity program.