POWERSCHOOL HOLDINGS, INC. - (PWSC)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
The Company has a robust process for the assessment, identification, and management of material risks from cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks that may harm data relating to our employees or customers and/or violate data privacy or security laws.
Managing cybersecurity risks effectively is one of the key objectives of our enterprise risk management programs as we act as a data processor of personal data for educational purposes. Our Chief Information Security Officer is responsible for the Company’s Information Security Management System (“ISMS”), which defines the requirements for secure operations at PowerSchool. Our Chief Information Security Officer, Chief Information Officer, and Chief Privacy Officer collaborate with other key internal stakeholders to manage security and data privacy risks to the ISMS.
Our assessment process involves the collaboration of our internal security team and security operations center, which constantly monitors the health and security of the applications used by our employees, as well as the cloud-based network supporting all PowerSchool products licensed to customers which processes customer data on our customers’ behalf. PowerSchool also engages third party consultants and advisors to assist with our risk analysis of current cybersecurity threats and potential future risks. As concerns identifying material risks from cybersecurity threats arise, PowerSchool coordinates with and integrates the efforts of multiple security consultants and vendors, as well as the security operations center and our internal security team, to identify, protect, detect, respond, and recover from attacks to our systems. We currently host our cloud service from third-party data center facilities operated by Amazon, AWS, and Microsoft, Azure, from several global locations.
The Company’s Security Council, Executive Leadership Team, and the Board of Directors collaborate to oversee the cybersecurity program. The Security Council is a strategic group of key decision makers within PowerSchool who advise on policy decisions and provide strategic direction with respect to the ISMS. The Security Council meets with the members of the Executive Leadership Team on a quarterly basis to discuss decisions and strategic topics concerning the ISMS. Finally, our directors receive quarterly updates on the health, maturity of the program as well as key relevant updates.
As part of an integrated risk management program, PowerSchool regularly engages external auditors to review our processes and assess the program’s maturity. These audits generate annual evidence of PowerSchool’s conformance with information security standards, such as ISO/IEC 27001:2013. PowerSchool deploys multiple tactics to mitigate risks, which include, but are not limited to, data governance strategies such as redundant server backups, physical access limitations, and security policies requiring single sign-on and multi-factor authentication, employee security training, as well as the multiple third-party security tools.
In 2023, we did not identify cybersecurity threats that have materially affected our business strategy, results of operations, or financial condition. PowerSchool invests regularly to improve the maturity of the ISMS. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats. For additional information about these risks, see Part I, Item 1A, "Risk Factors" in this Annual Report on Form 10-K.
Governance
Our Board exercises oversight over risks from cybersecurity threats through the assessment of management during and outside of scheduled Board meetings. Each quarter, our Chief Technology Officer and Chief Information Security Officer present to the Board and the Audit Committee a report on the health and maturity of PowerSchool’s ISMS. This report includes a summary review of cybersecurity threats and a discussion on key strategic topics identified through the Security Council and its review with the Executive Leadership Team.
The Chief Information Security Officer, through the Vice President of Cybersecurity Threat Management, manages the security incident response team. This cross-departmental team, which is comprised of members from customer support, corporate communications, legal, information security office, and other departments, work through and respond to reported incidents. Technical experts, such as cloud operations engineers, software
57
engineers, product design and others may be engaged to resolve a reported incident. The team follows the well-established PICERL model, which has the following six phases – Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Records of addressed reported incidents are maintained and shared with the Security Council as part of the Security Council’s regular agenda to stay informed on incidents. The Security Council, in turn, reports to the Executive Leadership Team.
The Chief Information Security Officer has over 30 years of engineering, technology, and security experience. Our Vice President of Cyber Threat Management brings over 25 years of engineering, technology cybersecurity experience. Team members who support our information security program have relevant educational and industry experience.