ALKAMI TECHNOLOGY, INC. - (ALKT)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program is based on principles set forth in the Secure Controls Framework (SCF). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the SCF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
Key elements of our cybersecurity risk management program include:
•a security team principally responsible for managing our security controls and our response to cybersecurity incidents;
•a compliance team principally responsible for managing our risk assessments, which are designed to help identify material cybersecurity risks to our critical systems and information;
•the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
•cybersecurity awareness training for our employees, incident response personnel, and senior management;
•a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and
•a third-party risk management process for partners and vendors.
Our cybersecurity risk management program is a key component of our overall process concerning assessment and management of enterprise risk. Risks relating to cybersecurity, data privacy and other information technology risks are overseen by the Information Systems Audit Committee of the Board (the “IS Audit Committee”), and the assessment and management of other enterprise-level risks are overseen by the Audit Committee of the Board.
We face certain continuing and ongoing material risks from cybersecurity threats, which the SEC defines as any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. See "Risk Factors—Risks Relating to Cybersecurity or Data Privacy—A breach or other compromise of our security measures or those of third parties we rely on could result in unauthorized access to personal information about our clients’ customers and other individuals and other data, or disruptions to our systems or operations, which could materially and adversely impact our reputation, business, financial condition and results of operations." Otherwise, however, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.
Cybersecurity Governance
Our board of directors considers cybersecurity risk as part of its risk oversight function and has delegated to the IS Audit Committee oversight of cybersecurity, data privacy and other information technology risks. The IS Audit Committee oversees management’s implementation of our cybersecurity risk management program.
The IS Audit Committee receives quarterly reports from management on our cybersecurity risks. In addition, management updates the IS Audit Committee, as necessary, regarding significant cybersecurity incidents.
The IS Audit Committee reports to the full board of directors regarding its activities, including those related to cybersecurity. Our board of directors also receives briefings from our Chief Information Security Officer (“CISO”) and Chief Compliance Officer (“CCO”) on our cybersecurity risk management program. Directors receive presentations on cybersecurity topics from our CISO as part of the board of directors’ continuing education.
Our management team, including our CISO and CCO, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our CISO’s experience includes over 25 years of helping to build global cybersecurity programs in companies ranging from Fortune 50 to early stage entities. Our CCO, who is responsible for our technology risk management program, has over 25 years of experience building and leading risk management and compliance programs in large institutions across multiple geographies.
Our management team, led by our CISO and CCO, stays informed about and monitors efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and external consultants engaged by us, and alerts and reports produced by security tools deployed in the information technology environment.