INNODATA INC - (INOD)
10-K Filing Date: March 04, 2024
Cybersecurity Risk Management and Strategy
We recognize the importance of developing, implementing and maintaining a firm cybersecurity posture to safeguard our information systems, protect the confidentiality, integrity and availability of our data and mitigate risks associated with cyber threats and attacks.
We are ISO/IEC 27001:2013 certified and the ISO Information Security Risk Management Standard is used as a reference guide for our risk management approach. We have a designated Chief Information Security Officer (CISO) who has primary responsibility for managing our cybersecurity risks. Our CISO has more than 28 years of experience in Information Security and holds a master’s degree in Information Technology. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our CISO is assisted by a team of Information Security Officers (ISOs) and a third-party consultant who has expertise in cybersecurity, information security risk management, and information systems audit and holds various certifications including, CISA, CISM, HITRUST Certified Common Security Framework Practitioner, QSA, and CSP.
Recognizing the inherent cybersecurity risks common to any organization, encompassing concerns such as unauthorized access to sensitive data, potential disruptions to business operations from cyber incidents, and the associated financial and reputational impacts arising from a cybersecurity breach, we have implemented comprehensive policies covering various aspects of cybersecurity and information management, including, without limitation, cyber risk management, information security practices, roles and responsibilities, access controls, cryptography, information classification, asset disposal, and vendor management. We periodically review and modify these policies to align with industry practice, trends and evolving threat landscapes. Compliance with these policies is expected from all employees and contractors.
We perform periodic assessments for identifying threats and vulnerabilities, covering relevant operational facets, and focusing on identifying, analyzing, evaluating, and treating cyber risks across business functions. Our risk assessment guidelines define risk measurement and prioritization, and consider factors such as likelihood, impact, and potential harm. Mitigation strategies are planned, covering technical and procedural measures, including incident response plans.
Incident Response
We maintain a comprehensive incident response plan. Key components include regular updates to ensure effectiveness, employee training programs, and establishing communication channels and relevant systems for proper incident reporting and logging procedures. Communication and notification protocols are defined for notifying third parties such as regulatory bodies, customers, and partners. Recovery strategies are developed for restoring normal operations, and post-incident analysis is conducted to identify lessons learned and improvements for future incident response efforts. The incident response plan also outlines procedures for prompt detection, response, and remediation efforts to minimize the impact of incidents.
Incident materiality is assessed through a collaborative process involving key personnel within our organization. Responsibility for conducting a materiality assessment lies with our management team, in consultation with advice from our third-party cybersecurity consultant, as appropriate. The materiality assessment considers various factors, including financial impact, reputational risk, regulatory implications, and potential harm to third parties. Upon completion of the materiality assessment, the disclosure of incidents, including those related to contractual, regulatory, or technology/security aspects, is handled by designated members of our senior management team. We consult with outside counsel or experts as appropriate, including on materiality analysis and disclosure matters.
As of the fiscal year ending December 31, 2023, there have been no identified cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition.
28
Engagement of Third Parties
Recognizing the complexity and evolving nature of cybersecurity threats, we have engaged a third-party consultant to assist with evaluating and testing our risk management approach. This enables us to leverage specialized knowledge and insights in connection with our cybersecurity strategies and processes.
Strategy
To enhance our current cybersecurity posture, we continue to invest in advanced threat detection technologies, provide cybersecurity training based on the latest trends and guidance to the employees, collaborate with industry partners and regulatory bodies to stay informed about emerging threats, reinforce our cybersecurity incident response plan to align with industry-specific regulations and legal obligations, integrate threat intelligence feeds for automatic detection of any misconfigurations, security threats, and foster a collaborative, cross-functional, and accelerated approach to incident response.
Cybersecurity Governance
Our Board of Directors is aware of the critical nature of managing the risks associated with cybersecurity threats. The Board of Directors has established oversight mechanisms to ensure effective governance in managing these risks.
Board of Director Oversight
Our Audit Committee has primary responsibility for overseeing risk management, including with respect to cybersecurity. The Audit Committee monitors management’s compliance, and reports to the Board of Directors. The CISO, who is responsible for developing our cybersecurity strategy and managing our cybersecurity risks, reports directly to the Audit Committee on these matters.
Management’s Role
Our cybersecurity governance framework incorporates policies, procedures, regular meetings, and controls to manage and mitigate cybersecurity risks. Aligned with industry standards and regulatory requirements, the framework is overseen and regularly evaluated by our leadership team responsible for implementation. Regular risk assessments are conducted to identify and assess potential cybersecurity risks, informing the development of proactive risk mitigation strategies within the governance framework.
The governance framework is closely integrated via a structured compliance reporting framework operating across various governance levels. This framework also operates across geographic locations, with location specific compliance meetings conducted at a local management level and led by the CISO with assistance from the ISO team. This structured compliance reporting is intended to ensure that the highest levels of management are kept abreast of potential cybersecurity risks facing the Company, with the escalation of significant cybersecurity matters to the Audit Committee and ultimately to the Board of Directors, as appropriate.
Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.
29