Genpact LTD - (G)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Cybersecurity risk management is an essential part of our enterprise risk management program. We are committed to maintaining governance and oversight of these risks and to implementing controls, technologies, and processes designed to help us identify, assess, and manage these risks.
Our cybersecurity program aims to incorporate industry best practices, including standards such as ISO 27001 and the NIST Cybersecurity Framework, and focuses on implementing effective and efficient controls, technologies, and other processes to assess, identify, manage and address cybersecurity risks, threats and incidents. Our practices include, among other things, security awareness training and simulations, technologies and processes to monitor our systems, assessments of controls, and incident response processes. We engage with industry groups and forums to stay informed of industry practices and developments. We monitor developments in the threat landscape that may affect our systems or services and assess their potential impacts on and risks to our cybersecurity posture. We engage external service providers, where appropriate and from time to time, to assist us with aspects of our program, such as assessing and testing controls, providing threat intelligence information and incident response. We also have processes in place to manage cybersecurity risks associated with third-party service providers. Certain key security controls are tested annually by independent third-party auditors. We regularly refine our cybersecurity processes as we determine necessary to address developments in the threat landscape, advance our control and technology capabilities, respond to regulatory requirements and standards, and implement improvements based on the results of internal and external assessments.
Our cybersecurity incident response process involves a multi-functional approach for investigating, containing, and mitigating incidents, including reporting findings to senior management and other key stakeholders, including if appropriate the audit committee and the board, and keeping them informed and involved as appropriate. While we have not, as of the date of this Form 10-K, experienced a cybersecurity threat or incident that has had a material impact on our business or operations, we have experienced incidents that did not have a material impact on our business or operations, and there can be no guarantee that we will not experience an incident that results in a material impact to our business or operations in the future. In addition, cybersecurity threats are constantly evolving and increasing in sophistication, which increases the difficulty of successfully defending against them or implementing adequate preventative measures. See "Risk Factors" above for more information about the cybersecurity risks we face.
Our board of directors has ultimate responsibility for oversight of our risk management, and delegates cybersecurity risk management oversight to the audit committee. The audit committee, which is responsible for ensuring that management has processes in place designed to identify, evaluate and manage cybersecurity risks and incidents, regularly reviews our cybersecurity program with management and reports to the board of directors. Cybersecurity reviews by the audit committee generally occur at least quarterly. A number of our directors have experience in assessing and managing cybersecurity risk, including by serving on other public company audit committees having responsibility for cybersecurity oversight. One of our directors has also served as a Chief Technology Officer for multiple companies.
Our cybersecurity program is run by our Chief Information Security Officer (CISO), who reports to our Head of Enterprise Risk Management and receives input and support from our Head of Enterprise Risk Management and our Chief Technology and Transformation Officer. Our CISO has extensive experience leading and managing cybersecurity programs and in cybersecurity risk management. Our CISO has served in this position since 2014 and, before Genpact, was previously CISO at another US-listed public company. Our CISO is supported by our information security team, many of whom hold cybersecurity certifications and who collectively possess relevant experience in different areas of cybersecurity.
Our CISO is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from our information security team, internal governance processes, and by reviewing the results of internal and third-party assessments and audits. Our CISO regularly reports directly to the audit committee on our cybersecurity program and our efforts to prevent, detect, mitigate, and remediate cybersecurity risks. In addition, we have a Security Governance Council, made up of members of our senior management team as well as relevant security personnel, that meets periodically to discuss and address relevant cybersecurity matters.