TTEC Holdings, Inc. - (TTEC)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy. The Company recognizes the critical importance of maintaining the trust and confidence of our clients, business partners, and employees, and has developed an information security program to address material risks from cybersecurity threats. We have implemented a cross-functional approach to preserving the overall integrity of the information that the Company collects and stores by identifying, preventing, and mitigating cybersecurity threats and effectively responding to security incidents when they occur, while also maintaining controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.

The Company relies on a comprehensive Enterprise Risk Management (“ERM”) program, which includes cybersecurity as an important component. Our cybersecurity program is focused on the following key areas:

Risk Assessment. The Company engages in periodic cybersecurity and technology resilience risk assessments based on methodology and guidance from a recognized national standards organization; and utilizes periodic risk-based analysis for adopting, maintaining and adjusting appropriate security controls to address such risks.

The following factors, among others, are considered by the Company in assessing its cybersecurity risks, mitigation, and remediation strategies: the likelihood and severity of risk; impact on the Company and others, if a risk materializes; feasibility and cost of controls; and impact of controls on operations and on others. The specific controls used by the Company vary based on the systems involved, but usually include firewalls, intrusion prevention and detection systems, anti-malware technical safeguards and access controls, endpoint threat detection and response (EDR), identity and access management (IAM), privileged access management (PAM), logging and monitoring involving the use of security information and event management (SIEM), multi-factor authentication (MFA), and vulnerability and patch management.

26

The Company periodically tests its cybersecurity policies, standards, processes, and practices. These testing efforts conducted by our in-house security teams and by third-party security firms include audits, assessments, tabletop exercises, threat modeling, penetration testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. Individual controls are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. The Company adjusts its cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, audits, and reviews.

Independent Assessments. The Company regularly engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits, and independent reviews of our information security control environment and operating effectiveness.

Third-Party Risks. The Company maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers, and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.

Business Continuity and Incident Response. The Company has established and maintains comprehensive business continuity, disaster recovery, and incident response plans that address the Company’s response to cybersecurity incidents. We conduct periodic tabletop exercises and other testing of these plans to enhance incident response preparedness for potential disruption to technology we rely on in our business.

Education and Awareness. The Company provides regular, mandatory training for personnel on cybersecurity threats as a means to equip the Company’s personnel with effective tools to address cybersecurity threats, and to communicate the Company’s evolving information security policies, standards, processes, and practices. The training includes phishing and smishing exercises.

Although the Company has confidence in the security measures and processes it deploys to protect its environment from cybersecurity threats, neither the Company nor the third parties it relies on may be able to fully, continuously, and effectively implement security controls as intended. As stated above, we utilize a risk-based approach and judgment to determine which security controls to implement, and it is possible we may not implement appropriate controls if we fail to recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate, but not fully eliminate, risks, and events, when detected by security tools or third parties, may not always be immediately understood or acted upon.

Governance. The Company’s Board of Directors (the “Board”), in coordination with its Audit Committee, oversees the Company’s overall ERM process, and has delegated the management of risks arising from cybersecurity threats to the Security & Technology Committee, which regularly interacts with the Company’s Chief Security Officer (“CSO”), Chief Information Officer (“CIO”), the Chief Privacy and Regulatory Compliance Officer, Chief Legal & Risk Officer, and other members of management. The Security & Technology Committee receives regular reports on the Company’s cybersecurity risks, vulnerability assessments, third-party and independent reviews, among other relevant information.

The Board and its Security & Technology Committee also receive prompt and timely information regarding any cybersecurity incidents that meet established reporting thresholds, as well as ongoing updates regarding any such incidents until they have been addressed. At least annually, the Board discusses the Company’s approach to cybersecurity risk management with the Company’s CSO, CIO, and Chief Legal & Risk Officer, and other members of management.

The CSO, in coordination with other members of TTEC executive leadership team, works collaboratively across the Company to implement a cybersecurity program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans. To facilitate the success of the Company’s cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and respond to cybersecurity incidents.

27

Our CSO holds an undergraduate degree in Computer Science and has served in various information technology and information security roles, including serving as the CISO/CSO for two public companies as well as various leadership roles in two medium sized private companies over the last 30 years.

Our CIO holds an undergraduate degree in Computer and Electrical Engineering and has served in various roles in information technology for over 25 years, including serving as either the chief technology officer or chief information officer for two large public companies and a technology start-up.

The Company has previously experienced significant cybersecurity incidents. Although cybersecurity threats, including any previous cybersecurity incidents, have not materially affected and we believe are not reasonably likely to materially affect the Company, there can be no assurances that future cybersecurity incidents, which are unavoidable, will not materially affect our results of operations, including our business strategy, results of operations, or financial condition.