Exela Technologies, Inc. - (XELA)

10-K Filing Date: April 03, 2024

ITEM 1C. CYBERSECURITY

Risk Management and Strategy

Exela has developed and maintained a comprehensive cybersecurity program which is integrated within Exela’s enterprise risk management program and encompasses the corporate and operational technology environments, as well as client-facing products and services. Our cybersecurity program has implemented a governance structure and process to identify, assess, manage, mitigate, respond to and report on cybersecurity incidents and risks within an ever-changing threat landscape. We utilize cybersecurity policies and frameworks based on industry and government standards, including the National Institute of Standards and Technology Cyber Security Framework (“NIST CSF”). This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.

Our cybersecurity program includes an incident response plan, which establishes (1) a framework for classifying security incidents according to their severity level, taking into account the nature and scope of the incident; and (2) protocols for the escalation of incident. Exela owns and operates a 24 x 7 security operations center (“SOC”) which monitors our global cybersecurity solutions and production environments, and serves as a central location for the reporting of cybersecurity matters. The roles and responsibilities of the SOC and our cybersecurity team in the incident response context are established by the incident response plan, as well as in associated playbooks and other procedural documentation

We partner with third parties to support and evaluate our cybersecurity program including cybersecurity maturity assessments, incident response, penetration testing and consulting on best practices. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those who have access to our data or our systems. Third-party risks are included within our risk assessment of vendors, as well as our cybersecurity-specific risk identification program. In addition, cybersecurity considerations affect the selection and oversight of third-party service providers. We perform diligence on third parties, particularly those that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence.

The Company has implemented a cybersecurity awareness program which covers topics such as phishing, social networking safety, password security and mobile device usage. We regularly communicate these and other pertinent security issues or compliance across our organization. Additionally, Exela has mandatory security awareness training addressing cybersecurity, privacy and confidential information.

In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. In June 2022, we experienced a previously disclosed network outage which required us to, among other things, limit access to our applications and services by our employees and customers. In response, we incurred considerable costs to restore the security of our internal systems and networks and adopted various enhancements. Please refer to “Item 1A. Risk Factors” for further information about the material risks associated with various cybersecurity threats.

Governance

Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to its Audit Committee oversight of cybersecurity and other information technology risks. Our Audit Committee oversees management’s ongoing activities related to our cybersecurity risk management and compliance programs.

Our cybersecurity program is led by our Chief Technology Officer (“CTO”), who has two decades of experience in various cybersecurity, software development, product management, and other technology-related roles. Our CTO

40

oversees teams across the company supporting our security functions of identify, prevent, detect, respond, and recover. These teams are comprised of personnel with a broad range of experience across the private and public sectors, the technology industry, and different geographic regions.

Our Audit Committee receives periodic reports from our CTO and management on our cybersecurity risks and the current threat landscape trends. In addition, management will update the Board directly, as necessary, regarding cybersecurity incidents. The full Board also receives presentations on cybersecurity topics from our CTO and other security management staff as part of the Board’s continuing oversight of topics that impact the Company.