Altair Engineering Inc. - (ALTR)
10-K Filing Date: February 22, 2024
We believe cybersecurity is a necessity for operating our business. As a global leader in computational science and artificial intelligence, we face many cybersecurity threats that range from common attack patterns, such as ransomware and denial-of-service, to attacks from sophisticated and persistent adversaries, including nation state actors, that target companies with innovative technology. Our customers, vendors and other third-party partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance and results of operations. These cybersecurity threats and related risks make it imperative that we carefully execute our cybersecurity operations, strategy and governance.
The Board of Directors are informed of cybersecurity risks and provide oversight to the executive management team with the day-to-day responsibility of cybersecurity functions, auditing and budget. Senior leadership, including our Chief Information Security Officer (CISO), regularly briefs the Board of Directors on our cybersecurity and information security posture and the Board of Directors is apprised of cybersecurity incidents deemed to impair data confidentiality, integrity and/or availability. In the event of an incident, we intend to follow our customized incident response playbooks, which outline the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g. legal), as well as senior leadership and the Board, as appropriate. Our procedures vary slightly depending on the type of incident at issue (e.g., account compromise, malware, data loss) as well as the data compromised.
Our corporate information security team, led by our CISO, is responsible for our overall information security strategy, policy, security engineering, security operations (as a second line of defense) and cyber threat detection and response. The current CISO has ten years’ experience in cybersecurity and 35 years as an information technology professional. Given that our CISO has more than 25 years at the Company in multiple positions, he helped incubate and grow our corporate information security team into what it is today. Our information security management philosophy is one of cyber risk prevention and we have the ultimate goal of preventing cyber incidents. Simultaneously, our information security team focuses on increasing our system resilience to minimize data breach (or other compromise) business impact should an incident occur. Cybersecurity is not the sole responsibility of our information security team. Our Security team meets with business leaders regularly and works closely with internal departments to keep security at the forefront. Our employees and vendors also play a role in our company’s cybersecurity efforts. Through our cybersecurity awareness training and other team training we are fostering a culture that all employees and vendors have a role in our cybersecurity defenses.
The corporate information security team has implemented a governance structure and processes to assess, identify, manage and report cybersecurity risks. We also have threat intelligence and insider threat programs to identify external and internal threats, and to mitigate those threats in a timely manner to the best of our ability. In addition, we have developed security corporate practices, controls, and frameworks, which we believe enhance our ability to identify and manage cybersecurity risks.
Third parties also play a role in our cybersecurity and supplement our program. We engage third-party services in some areas of our business to conduct evaluations of our security controls, whether through penetration testing, independent audits or consulting on best practices to address new challenges.
We employ risk management functionality and document enterprise information security risks. Our information security team maintains documentation to assess risk and mitigate cyber risk in alignment with risk (understanding general impact and likelihood of risk exploitation), resources, and business process. Cybersecurity risks are tracked throughout the risk management process from risk mitigation to ultimate completion of remediation. From time-to-time significant risks may be escalated to the executive management team and/or the Board in the existing executive management processes for cybersecurity and Board briefing schedule.
40
We rely on our indirect sales channel partners and supply chain to deliver our products and services to our customers, and a cybersecurity incident at a channel partner, supplier, subcontractor or joint venture partner could materially adversely impact us. We also contractually flow cybersecurity regulatory requirements to our subcontractors in alignment with legal and contractual obligations. Extensive international law and US-sector specific laws pertaining to privacy and data security may create challenges for our supply chain and increase costs as we continue to flow down legal obligations.
Despite our careful planning, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While the Company maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.