AvePoint, Inc. - (AVPT)
10-K Filing Date: February 29, 2024
At AvePoint, cybersecurity risk management is an important part of our overall risk management efforts. We have a policy of transparency regarding our data collection, use, retention and sharing practices, and it is our commitment to implement appropriate technical security measures to protect all AvePoint stakeholders and manage third party risk.
Our operations may, in some cases, involve the storage, transmission and other processing of customer data or information. Cyberattacks and other malicious internet-based activity continue to increase, and cloud-based platform providers of services are expected to continue to be targeted. Threats include traditional computer “hackers,” malicious code (such as viruses and worms), phishing attacks, employee theft or misuse and denial-of-service attacks, and use of AI. We have experienced cyberattacks in the past, and although immaterial, there can be no guarantee that in the future such cyberattacks will not be material. We believe we are a particularly attractive target because of our prominence and scale, the types and volume of personal data and content on our systems, and the evolving nature of our products and services. We maintain an information security program that is comprised of policies and controls designed to mitigate cybersecurity risk. However, at any given time, we face known and unknown cybersecurity risks and threats that are not fully mitigated, and we continuously work to enhance our information security program and risk management efforts.
We use a risk management framework based on applicable laws and regulations and informed by industry standards and industry-recognized practices, for managing cybersecurity risks within our products and services, infrastructure, and corporate resources. To identify and assess risks from cybersecurity threats, we evaluate a variety of developments including threat intelligence, first- and third-party vulnerabilities, evolving regulatory requirements, and observed cybersecurity incidents, among others. We regularly conduct risk assessments to evaluate the maturity and effectiveness of our systems and processes in addressing cybersecurity threats and to identify any areas for remediation and opportunities for enhancements. We also engage third-party security experts and consultants to assist with assessment and enhancement of our cybersecurity risk management processes, as well as benchmarking against industry practices. In addition, we maintain a privacy risk management program to assess privacy risks related to how we are collecting, using, sharing, and storing user data, which is subject to assessment by an independent, third-party privacy assessor. We have certified against, and demonstrated conformance to, the International Organization for Standardization’s (“ISO”) information security management system audit using the 27701:2019 framework for the first time, and the 27001:2013, 27701:2019, and 27017:2015 frameworks. Successfully achieving these four certifications demonstrates our prioritization of security and privacy for both us and our customers and we believe shows that we have proper company-wide processes for managing operations, and maintaining people and information assets, information systems, and the associated processes that enable corporate operations. Our four ISO certifications add to the company’s overall resiliency strategy and commitment to security for all customers, which includes other accreditations including SOC 2 Type II, compliance with HITRUST CSF v11.0.1., CSA STAR, IRAP, FedRAMP and StateRAMP.
PART I
Item 1C
Our privacy and security program dictates a governance structure whereby we:
● | Regularly engage senior management on data privacy and security issues; |
● | Align policies, procedures, and technical controls to demonstrate our process and our commitment to our customers and users; |
● | Train each of our employees on all privacy and security expectations; |
● | Conduct regular phishing email simulations for employees and contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats; |
● | Maintain a robust cybersecurity incident response plan, which provides a framework for handling cybersecurity incidents based on, among other factors, the potential severity of the incident and facilitates cross-functional coordination across AvePoint; |
● | Periodically run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies; |
● | Maintain cybersecurity insurance and regularly review our policy and levels of coverage based on current risks; |
● | Monitor emerging data protection and cybersecurity laws, and implement changes to our processes, systems and offerings designed to comply, and through policy, practice and contract (as applicable) require employees, as well as third parties who provide services on our behalf, to treat customer information and data with care; |
● | Complete several cyber-specific audits per year; and |
● | Engage consultants and other third parties in connection with our cybersecurity practices. |
Our internal audit function provides independent assessment and assurance on the overall operations of our cybersecurity and privacy programs and the supporting control frameworks. These processes support informed risk-based decision-making and prioritization of cybersecurity countermeasures and risk mitigation strategies. Our risk mitigation strategies include a broad variety of technical and operational measures, as well as annual cybersecurity and privacy training for all of our employees.
In addition, we maintain specific policies and practices governing our third-party security risks, including our third-party assessment (“TPA”) process. Under our TPA process, we gather information from certain third parties who contract with AvePoint and share or receive data, or have access to or integrate with our systems, in order to help us assess potential risks associated with their security controls. We also generally require third parties to maintain security controls to protect our confidential information and data, and notify us of material data breaches that may impact our data.
PART I
Item 1C
Our Chief Risk, Privacy and Information Security Officer (“CISO”) leads the company’s privacy, data protection and security program. An expert in cyber and data security trends, our CISO has over twenty years of experience in the data protection field, was a founding member of the Women Leading Privacy Advisory Board and former member of the Education Advisory Board for the International Association of Privacy Professionals (IAPP) and in 2023, was named a finalist for the Women in IT Awards in the Security Leader of the Year category, included in the SIA Women in Security Power Forum 100 and named a Top Global CISO by Cyber Defense Magazine. In addition, our CISO oversees teams across the company supporting our security and privacy functions of identify, prevent, detect, respond, and recover. These teams are comprised of personnel with a broad range of experience across the private and public sectors, the technology industry, and different geographic regions. Our cybersecurity teams monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents through a variety of technical and operational measures, and regularly report to our CISO. Our CISO reports directly to our Chief Executive Officer and is a member of the company’s senior management team, and is responsible for identifying, assessing, and managing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures, and maintaining cybersecurity policies and procedures. Additionally, our CISO and Chief Compliance Officer regularly update our senior leadership team, our Nominating and Corporate Governance Committee, and the full Board, on the company’s privacy and cybersecurity program, including privacy and cybersecurity risks, incidents, and mitigation strategies.
Disclosure of the Board’s Roles and Responsibilities
Our Board of Directors oversees risks from cybersecurity threats using a multi-faceted approach that involves the Nominating and Corporate Governance Committee and various executive roles. Additionally, our CISO and Chief Compliance Officer regularly report on cybersecurity matters to the Board, as discussed above.
Nominating and Corporate Governance Committee
Our Nominating and Corporate Governance Committee oversees risks associated with data privacy and information security, which encompasses cybersecurity. Our CISO and Chief Compliance Officer, among other executives, provide periodic reports to our Nominating and Corporate Governance Committee and also meet with our Nominating and Corporate Governance Committee to discuss any material events when they arise. The periodic reports are designed to keep our Nominating and Corporate Governance Committee abreast of the Company’s cybersecurity practices, as well as risks and trends in cybersecurity threats. Our Nominating and Corporate Governance Committee also has discussions with management focused on evaluating our exposure to cybersecurity risks and cybersecurity practices in place to mitigate such risks. These discussions enable our Nominating and Corporate Governance Committee to be informed of the steps management is taking to detect, monitor and manage cybersecurity risks. These reports to our Nominating and Corporate Governance Committee typically include information on any incidents that have occurred, how they were managed, and any changes to the risk profile of the Company. Our Nominating and Corporate Governance Committee seeks these updates to facilitate proactive governance and to address emerging cybersecurity issues with management.
In 2023, we did not identify any privacy or cybersecurity threats that materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. For additional information about these risks, see Part I, Item 1A, “Risk Factors” in this Annual Report on Form 10-K.
PART I
Items 2, 3, and 4