OneSpan Inc. - (OSPN)

10-K Filing Date: March 06, 2024
Item 1C - Cybersecurity


Risk Management and Strategy

As a cloud-based digital agreements and identity and authentication security solutions provider servicing customers in regulated industries, cybersecurity risk management is an important part of our identity. We maintain an enterprise cybersecurity risk management program designed to assess, identify, and manage material cybersecurity risks within our corporate information security environment and the systems we develop and operate for the benefit of our customers. Our cybersecurity risk management program is based upon best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and the International Organization Standardization (“ISO”) 27001 Information Security Management System Requirements.

Policies and Training. We maintain security policies, standards, and processes that apply across our operations and that are approved by management, communicated to our personnel, and reviewed on an annual basis. We provide a global security awareness education program that includes mandatory security and privacy awareness training for all personnel, regular phishing identification exercises, focused training opportunities for particular roles, and incident response training for key individuals.

Risk Assessment and Safeguards. We conduct regular assessments of risks and vulnerabilities to the confidentiality, integrity, and availability of data in our systems, and we implement safeguards to reduce these risks and vulnerabilities to a reasonable and appropriate level. For internal information systems and assets, we conduct regular internal reviews, employ continuous security monitoring, and conduct periodic independent reviews of the key components of our security program. For customer-facing products and services, in addition to internal reviews and testing, we undergo external reviews and penetration testing using an independent third party provider. Our cloud platforms for SaaS solutions are audited annually by external independent auditors who review our platforms against the Service Organization Controls (“SOC”) 2 and ISO 27001, 27017 and 27018 standards, and some of our Digital Agreement products are available on a FedRAMP compliant platform. Some of our products are certified under specific technical standards or industry guidelines, such as FIPS 140-2 and FIDO. Our Digipass authentication fulfillment services are also audited annually by external independent auditors against the SOC 2 standard. We conduct self-assessment activities for those standards or regulations that are not covered by the external auditors, such as the General Data Protection Regulation in Europe. Additionally, we periodically engage third party consultants to assist with identifying, assessing, and/or managing cybersecurity threats.

Incident Management. We have a documented incident response plan for identifying and responding to cybersecurity incidents that focuses on isolating, containing, mitigating, and eradicating the threat as quickly as possible. In the event of a cybersecurity incident, we will follow a documented incident escalation procedure. For a discussion of whether any cybersecurity risks have, or are likely to materially affect us, please see 1A, Risk Factors, for a discussion of identified cybersecurity risks.

Third Party Risk Management. Our vendor security risk management program covers vendors that require connectivity to our systems or access to confidential information. We utilize a trust intelligence platform for managing data
30


privacy and data governance which includes third party risk management. Security reviews are performed periodically, based on vendor criticality, to identify potential security issues with the vendor systems or practices. New vendor contracts are reviewed by our legal and security teams, as appropriate, to confirm that security and data protection are appropriately addressed.

Material Cybersecurity Incidents. While we have experienced several security incidents in the past, we have not experienced any material cybersecurity incidents for the fiscal year ended December 31, 2023. We do not believe that there are currently any known risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company or our business strategy, results of operations or financial condition.

Governance

Our Board is primarily responsible for overseeing the assessment and management of our risk exposure, including the balance between risk and opportunity and the totality of risk exposure across the organization. The Audit Committee oversees the company’s cybersecurity risks and exposures. We operate our security program under a global Information Security Charter approved by the Audit Committee, and the Audit Committee receives security updates and information about cybersecurity risks from the Chief Information Officer ("CIO") and Chief Information Security Officer ("CISO") at least quarterly. Our Board generally reviews the company’s overall risk management program at least annually, including the corporate insurance program which includes our cybersecurity insurance policy. We maintain an Information Security Steering Committee which is composed of key senior leaders who oversee the corporate information security program and our cybersecurity posture. Cybersecurity threats with the possibility of heightened criticality are escalated to a management team comprised of C-level executives and legal department representatives.

The CIO leads our global information technology organization and has nearly 30 years of information technology leadership experience, including acting as CIO at two cloud-based technology providers. The Senior Vice President of Research and Development has more than 25 years of information technology experience, including at another publicly traded technology company. Our CISO reports to the CIO and is responsible for leading our information security organization and overseeing our information security program. The CISO has over 20 years experience in information technology and security, including serving as Chief Information Security Officer at another cloud-based technology provider. Team members who support our cybersecurity risk management program have relevant education and experience in the fields of cybersecurity, risk management, security architecture, data protection, application security, audit, compliance, incident response, identity governance and governance of enterprise information technology.