EPAM Systems, Inc. - (EPAM)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Our Cybersecurity Risk Management Program
We believe cybersecurity is a critical element in our business and in enabling digital transformation for our customers. EPAM and our customers and suppliers all face risks from cybersecurity threats and a cybersecurity incident impacting any or all of us could materially adversely affect our operations, performance and results of operations. For these reasons, EPAM maintains a cybersecurity risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. Our cybersecurity risk management program includes periodic reviews of our risks and responses as well as company-wide risk assessments by internal and external cyber risk professionals and is designed to address risks related to both EPAM’s corporate information technology network and our cybersecurity services.
Cybersecurity Risk Governance
Several of the members of our Board of Directors have extensive experience in the information technology and information security industries, so our entire Board of Directors oversees EPAM’s cybersecurity risk exposure and our management’s processes for identifying, monitoring, and mitigating cybersecurity risks. Our Chief Information Security Officer and our Head of Global Operations brief the Board of Directors on our cybersecurity and information security programs and risks, both as a regular, standalone topic and as part of EPAM’s enterprise risk management program, where it remains rated as a high priority risk that has been integrated into our regular enterprise risk management assessments. The Board of Directors or its leadership, as well as designated members of functional areas such as legal and communications, are also informed of cybersecurity incidents with the potential to have a business impact on EPAM, even if they are not material to EPAM.
24
Our information security programs are led by our Chief Information Security Officer and our Head of Global Operations and encompass our overall information security strategy, policy, operations, and threat detection and response management. Our information security leadership has more than 50 years of combined experience in software product engineering, security, and IT services, with extensive operational, cybersecurity, and global management experience in our or other corporate information security roles and organizations. Our information security leadership is also responsible for notifying our management and Board of Directors about cybersecurity threats and incidents. Our information security team reports to our information security leadership and selects, deploys, and operates cybersecurity technologies, initiatives, and processes across our global footprint and develops and monitors government, public, and private threat intelligence sources to continually enhance our enterprise security structure and system resilience. Our personnel and end-users who are not assigned to our information security organization also contribute to our cybersecurity defense matrix by engaging in various learning modules and events, including simulations, tabletop exercises, and mandatory annual compliance and threat awareness training. The results and feedback from our exercises and training programs are subsequently incorporated into our evolving cybersecurity strategy. We built a security operations center to constantly monitor our global information security posture and to receive threat notifications and coordinate the investigation and remediation of alerts. In the event of an incident, we have developed detailed incident response playbooks that outline the identification, assessment, remediation, and prevention steps that we follow when responding to a cybersecurity threat.
Cybersecurity Risk Management
The governance structure, controls, and processes of our information security programs are based on industry best practices, our own practices and frameworks, and codified cybersecurity and information technology standards, including compliance with the International Organization Standardization/International Electrotechnical Commission 27001:2002 Information Security Management Systems standard, the International Standard on Assurance Engagements 3402 standard, as well as applicable laws and regulations. We are regularly subject to evaluations, assessments, audits, tests, and compliance inspections by customers and third-party auditors that we or our customers engage to evaluate and test our cybersecurity risk management processes.
In addition to internal and external assessments of our own preparedness, we also seek to evaluate cybersecurity risks arising from our vendors and other third-party service providers. We review third-party cybersecurity controls through questionnaires, audits, and contract reviews, including adding security and privacy addenda to our contracts where applicable, and generally receive or commission system and organization controls reports, if available. We also generally require that our vendors report cybersecurity incidents to us so that we can assess the impact of an incident if it occurs. Vendors that are unable to provide adequate reporting or that have access to sensitive data generally have their cybersecurity processes and procedures reviewed and our relationship with that vendor is further assessed on the basis of those reviews. Our assessment of risks associated with use of third-party providers is part of our overall cybersecurity risk management framework.
We face a number of cybersecurity risks in connection with our business and we have, from time to time, experienced threats to and breaches of our data and systems and expect to continue to experience cybersecurity incidents and threats in connection with our business. Prior cybersecurity incidents have not had a material effect on our business, financial condition, results of operations, or cash flows but we cannot provide assurances that there will not be material cybersecurity incidents in the future. We have incurred and may continue to incur costs or other financial impacts from cybersecurity events that may not be covered by, or may exceed the coverage limits of, our cyber liability insurance. For more information about the cybersecurity risks we face, see the risk factor entitled “Security breaches and other disruptions to our network security that compromise our information will expose us to liability and would cause our business and reputation to suffer.” in Item 1A – Risk Factors.