BENTLEY SYSTEMS INC - (BSY)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
We maintain a comprehensive process for: (i) identifying the assets, threats, and vulnerabilities that affect our information systems and networks; (ii) analyzing the likelihood and impact of potential cyberattacks on our assets, operations, and objectives; (iii) evaluating the existing cybersecurity controls and measures that we have in place to prevent, detect, and respond to cyberattacks; and (iv) implementing and monitoring the appropriate cybersecurity solutions and practices that reduce our cyber risk exposure and enhance our cyber resilience.
In doing so, our Global IT Security Team, which is comprised of dedicated privacy and security professionals and run by our Chief Information Security Officer (“CISO”), stays abreast of security industry and threat trends and regularly seeks to improve our cybersecurity risk management program. Our executive leadership team, with input and guidance from our CISO, is responsible for our overall enterprise risk management system and processes, and regularly considers cybersecurity risks in the context of other material risks to the Company.
As part of our overall cybersecurity strategy, as and when we detect cybersecurity threats, our Global IT Security team documents the relevant incident details, assesses the impact and severity of it, identifies the root cause and corrective actions, and communicates the incident to our CISO and any other relevant parties as needed. We also seek to address cybersecurity risks associated with our third-party vendors by making our Global IT Security team a key part of relevant vendor onboarding, whereby we conduct comprehensive risk assessments of such vendors’ cybersecurity policies and practices. When necessary, we utilize third party auditors and consultants to assess third-party cybersecurity risks, and we consult with outside counsel as appropriate, including on materiality analysis and disclosure matters. Our senior management makes the final materiality determinations and disclosure and other compliance decisions.
Our full Board of Directors has oversight responsibility for risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, and, in conjunction with the Audit Committee, the related effects, if any, on financial reporting and internal controls. Our Chief Digital Officer and Chief Legal Officer, in conjunction with members of the Global IT Security team, regularly update the Board of Directors on the Company’s cybersecurity risk profile and incidents, if any, and our overall cybersecurity strategy and process improvements.
Our business strategy, results of operations, and financial condition have not been materially affected by risks from cybersecurity threats, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, refer to Item 1A. Risk Factors of this Annual Report on Form 10‑K.