SYNCHRONOSS TECHNOLOGIES INC - (SNCR)
10-K Filing Date: March 25, 2024
ITEM 1C. CYBERSECURITY
All companies utilizing technology are subject to threats of breaches of their cybersecurity programs. To mitigate the threat to our business and address regulatory requirements, we take a comprehensive approach to cybersecurity risk management and have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. We continue to make significant investments to augment the capabilities of our people, process, and technologies in order to address our cybersecurity risks. Our cybersecurity risks, and the controls designed to mitigate those risks, are integrated into our overall risk management governance within our Global Information Security (GIS) organization. Pursuant to our current policies an update on the operations of the cybersecurity program and the risks and trends in cybersecurity are reviewed, at a minimum, annually by our Board of Directors and periodically by the Audit Committee of our Board of Directors (Audit Committee).
Risk Management and Strategy
We have implemented a systematic approach to managing our cybersecurity risks and have adopted a comprehensive set of cybersecurity policies that include best practices based on recognized industry standards and guidelines. These policies provide guidance on roles and responsibilities of key stakeholders and promote awareness. These policies also cover cyber education and training as well as help us to align with applicable laws and regulations to meet our compliance requirements. The primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our Chief Information Security Officer (CISO) within our GIS organization, who reports to our Chief Technology Officer. The CISO is also responsible for managing the risk assessment and mitigation process. Our CISO has over 13 years of experience serving in various roles in risk management as well as enterprise and cyber security, including serving as the project lead and founder of the Open Worldwide Application Security Project (OWASP) flagship project Security Shepherd, a web and mobile application security training program, and leading IBM’s ethical hacking team. He was also a principal security engineer at Axway prior to joining Synchronoss where he served as product security architect and a director of product security prior to accepting the role as our CISO. Our Chief Technology Officer has over 20 years of experience in the telecommunications industry, including serving as our Chief Architect and Senior Software Engineer, during which he oversaw our GIS program, including the governance, risk and compliance management related thereto. We also engage consultants, and other service providers, to help us implement our cybersecurity policies and procedures. These service providers assist us with monitoring security threats and vulnerabilities as well as responding to identified cybersecurity incidents, including prompt escalation and timely communication of major security incidents to senior business leadership and the Audit Committee.
As part of our cybersecurity policies, we conduct risk assessments designed to identify and prioritize potential cybersecurity threats, assess the likelihood and impact of those threats, and develop strategies for mitigating or managing cybersecurity risks. This involves assessing, evaluating and monitoring our vulnerabilities, as well as conducting impact analysis. Additionally, we provide ongoing cybersecurity awareness training to educate employees about the potential cybersecurity threats and how employees can identify potential threats and protect our data.
We have an Information Security Third Party Risk Management Policy, as well as a Vendor Code of Conduct, which contractually requires each third-party service provider accessing our or our customers’ information systems to comply with our information security policies, as well as to meet a minimum set of information security and data privacy and protection standards in connection with their delivery of products and/or services to us. We also engage a third-party service provider to assess our third-party suppliers for potential risks and effectiveness of controls related to information security and data privacy protection that are relevant in the context of their delivery of services.
Governance
Our CISO and GIS team meets regularly with our IT and cybersecurity service providers and internal teams, such as the Risk Advisory Board (RAB), about the Company’s ongoing compliance and risk management. GIS also drives business continuity and crisis management through coordinating and communicating with all levels of an organization and seeks to
41
ensure that trends and emerging issues that could impact the business are considered and communicated as appropriate. Pursuant to our current policies the GIS team also provides, at the minimum, annual briefings to our Board of Directors and periodic briefings to the Audit Committee regarding our cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, among other relevant topics. The RAB convenes periodically or as needed to review the cybersecurity risks in the business. The RAB consists of individuals from GIS as well as the Chief Technology Officer.
Cybersecurity Threat Disclosure
There can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. Although our “Risk Factors” in Item 1A include further detail about the material cybersecurity risks we face, we are not aware of any cybersecurity threats that have materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition.