Ribbon Communications Inc. - (RBBN)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Strategy

We drive an aggressive cybersecurity roadmap aligned to internationally recognized cybersecurity frameworks and focused on evolving global threats, new cybersecurity insurance requirements and continuous improvement of incident response. Our cybersecurity program is aligned with the NIST Cybersecurity Framework and we also maintain ISO 27001 certification. Pursuant to the framework, we utilize industry leading cyber solutions and techniques to prevent, detect, and respond to incidents using a layered security model. We conduct an annual gap assessment against the NIST Cybersecurity Framework, the results of which are used to establish goals and measure progress against our cybersecurity roadmap. Based on the gap assessment, for example, we have taken a number of actions intended to reduce our cybersecurity risk, including implementing network segmentation, enhancing our email and end-point security programs and improving our web application filtering programs. We are focused on the continuous improvement of key processes such as asset management, access control, vulnerability management, incident response, and third-party risk management. We also maintain business continuity management certification to ensure the ongoing review of our business continuity, disaster recovery and incident management processes, including as a result of a cybersecurity breach.

Our Information Technology (IT) team is responsible for our cybersecurity monitoring and leverages a 24x7 Managed Detection & Response (MDR) third-party vendor to provide real-time cybersecurity threat monitoring and incident response, as well as to conduct a quarterly risk assessment. Pursuant to our incident response policy, any identified cybersecurity threats are immediately evaluated for the level of potential risk to us, with our response and remediation plan based on the potential severity of the incident. This incident risk assessment is continuously updated as we become aware of any new information regarding an identified incident. Pursuant to this plan, we will also utilize third-party experts to help identify, contain and remediate any incident that could have a significant impact on us. In addition, we use third-party experts to assist us in performing annual penetration testing and active breach assessment simulations to verify implementation of security tools, mitigating controls, and our ability to respond to real-world scenarios pursuant to our incident response policy.

As part of our cybersecurity roadmap, we also assess third-party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers. In addition, we perform risk management during third-party cybersecurity compromise incidents to identify and mitigate risks to us from third-party incidents.

We are highly focused on cybersecurity awareness and perform annual certification of our employees, execute ongoing phishing campaigns, intervene with phish-prone individuals, publish monthly cybersecurity newsletters, and participate in Cybersecurity Awareness Month, in October each year.

As of the date of this Annual Report, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations and financial condition.

Cybersecurity Risk Governance

Our Board of Directors has overall responsibility for risk oversight, with its committees assisting the Board of Directors in performing this function based on their respective areas of expertise. Our Board of Directors has delegated oversight of cybersecurity risk to the Audit Committee and the Audit Committee reports on its activities and findings to the full Board of Directors. Key cybersecurity topics are presented regularly to the Audit Committee. In addition, if any cybersecurity incident is determined under our incident response policy to pose a risk in excess of an identified threshold (as set forth in the policy), our Chief Legal Officer will promptly notify the Audit Committee regarding the incident. The notification to the Audit Committee will include management’s determination regarding whether or not the incident is material to us.

On an operating level, our cybersecurity program is managed by a dedicated Chief Information Security Officer (CISO), reporting to our Chief Information Officer (CIO), who together lead a geographically dispersed team comprised of our employees, highly skilled contractors and other key functional third-party resources. Our CISO holds a Masters of MIS in Information Security and prior to joining Ribbon, served as the Director of Information Security & Privacy at Ericsson for the Americas. Prior to Ericsson, she held cybersecurity positions at Walgreens, Fortunes Brands Home & Security, and W.W. Granger. She is a Certified Information Security Manager, has operated her own security firm, and has over 19 years of
36



cybersecurity experience, including her time as a US Navy Operations and Training Manager. Our CIO has held that position (or Head of IT) at Ribbon for over 6 years. He has over 25 years of experience in the IT area including over eight years overseeing IT cybersecurity, cybersecurity roadmaps and IT general controls. During his career he has overseen initial ISO 27001 certifications, as well as the implementation of over 30 cybersecurity platforms. The CIO and CISO are part of our cybersecurity council, which also includes our CEO, CFO and other key leaders. The cybersecurity council meets monthly to review the cybersecurity metrics, new potential threats, and progress against the cybersecurity roadmap. Key matters from these monthly council meetings are presented to the Audit Committee.