TYLER TECHNOLOGIES INC - (TYL)
10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY.
Tyler is committed to remaining vigilant in an ever-changing security environment. Our public sector clients are attractive, data-rich targets for threat actors. We partner closely with our clients to assist them in following evolving best practices, and constantly evaluate our own policies and procedures to help ensure that we are implementing safeguards that protect their data and ours.
The same cybersecurity threats that predominate across most industries challenge Tyler and our clients as well. These threats range from crude phishing attempts to distributed denial-of-service disruptions to sophisticated malware and ransomware, among others. We are acutely aware that these same threats exist for our acquisition targets, our suppliers, and our third-party business partners, and a cybersecurity incident or vulnerability experienced by any of these entities could also materially and/or adversely impact our business operations and/or performance, both operational and financial, and could harm our reputation and/or competitive position. Given the criticality of a strong cybersecurity posture, we continuously and conscientiously invest in our security infrastructure, tooling, and related resources.
Cyber Risk Management Strategy
The Board of Directors is responsible for overseeing Tyler’s senior management in the execution of its risk-management responsibilities and for assessing Tyler’s overall approach to risk management. The Board exercises these responsibilities periodically as part of its meetings and through its committees, each of which examines various components of enterprise risk. The Audit Committee oversees management of financial risks, as well as Tyler’s policies with respect to risk assessment and risk management, including but not limited to information security risk.
Tyler’s Chief Information Security Office (“CISO”) leads the information security responsibility at Tyler. He has spent his career in information security, joining Tyler in 2018 and previously working in the payments and semiconductor manufacturing industries. He is a Certified Information Systems Security Professional (“CISSP”) and a Certified Data Privacy Solutions Engineer (“CDPSE”).
The CISO reports directly to Tyler’s Chief Operations Officer (“COO”), who in turn reports to the President & Chief Executive Officer. Tyler believes this organizational structure provides a holistic and collaborative approach to cybersecurity risk management, as the COO also oversees Tyler’s information technology, technology, and cloud operations teams, with whom the CISO works regularly and closely. The CISO also has a dotted line to the Chair of the Audit Committee.
The CISO leads a full-time Security Risk & Compliance team that assesses, identifies and manages material risks from cybersecurity threats and oversees our Information Security Risk Management Program. These efforts include the identification, assessment, and treatment of potential harms to Tyler’s technology, data, and intellectual property. The team continually monitors the potential for harm to help manage the level of risk.
To help protect client information and Tyler data, Tyler leverages both internal and external resources, including third-party assessments, to work to identify and respond to information security risks. For example:
21
Internal Resources: Our full-time information security team focuses on managing incoming security risks and developing preventative responses to potential future risks, using tools targeted at people, processes, and technology. These efforts include security training for all employees at hire and on an annual basis thereafter, unannounced security testing (particularly on topics such as phishing), and periodic security alert messages for education or urgent security communications.
We repeatedly test our software, during the development cycle and once out in the field, including internal assessments of our flagship solutions. We work closely with Tyler’s Data Privacy Officer and her team to educate Tyler team members on complementary privacy-by-design principles. We continuously iterate on access management policies for both technological and physical resources.
Tyler staffs an internal incident response team designed to launch when a potential or suspected security incident is reported to or identified by Tyler. That team is composed of a multi-disciplinary group of Tyler team members, including representatives from the security, privacy, communications, and relevant business unit teams, as well as outside forensic and legal advisors that are called on as needed. The incident response team’s goal is to confirm, contain, mitigate, and remediate the incident, as applicable, and conducts a “lessons learned” process when the incident response is completed.
To help ensure disaster recovery and business continuity, Tyler maintains a business continuity plan with comprehensive procedures designed to recover Tyler and client assets quickly and effectively following a service disruption. Tyler’s policies and procedures with respect to disaster recovery, as well as its process to help recover critical technology platforms, data center infrastructure, and operations, are updated regularly, tested annually, and reviewed by third-party auditors. We also partner with our Internal Audit team to regularly assess and respond to evolving risk management findings.
External resources: Tyler leverages third-party assessments, audits, and reporting obligations to provide additional layers of accountability, monitoring and testing. This includes a bug reporting program that we publish that invites any third party to report a security vulnerability they have identified. We also use a Qualified Security Assessor to perform an annual Payment Card Industry Data Security Standards assessment that tests our credit card data controls, and we undergo an annual System & Organizational Control audit to generate a report of our key compliance controls and objectives, among other things. Given our technology in the courts and public safety markets, we also manage compliance with Criminal Justice Information Systems security standards that are established by the Federal Bureau of Investigation (“FBI”), and we partner with our clients and third-party Criminal Justice Information Services (“CJIS”) compliance consultants to ensure that we adhere to the requirements applicable to us.
Technology: Tyler also utilizes technology to help harden our environment from internal and external threats. We leverage a third-party endpoint detection management solution and threat intelligence software, as well as web-filtering tools, a multi-factor authentication tool, and related tools that support our “defense-in-depth” strategy. These tools are operated by subject-matter experts that report to the CISO, and Tyler employees are educated on the tooling to the extent applicable.
Third Parties: Our management of third-party security risks is an area of heightened focus for us. Over the past several years, we have worked to formalize our security due diligence process for each acquisition target, such that security is a formally embedded component of our due diligence and typically involves our independent testing of the target technology prior to closing the acquisition. Where a vulnerability or risk is identified, we generally require remediation by the target or attempt to ensure a remediation path post-closing, with contractual protections and liability parameters set forth in the purchase agreement.
We strive to enhance our vendor risk analysis, with a goal of universalizing the use of form cybersecurity questionnaires and/or security addenda where applicable. We consider the results of a security and privacy review of material vendor contracts, as well as our material contracts with business partners. Our goal is to proactively identify and manage potential security risks and vulnerabilities, and to clearly articulate the responsibility – whether shared, divided, flow-down, or otherwise – of Tyler, our acquisition targets, our vendors, and/or our business partners. We expect third parties – including our clients – to report cybersecurity incidents to us so that we can assess the impact of the incident on us.
Cybersecurity Governance
In 2022, we formalized a multi-layered security governance structure, with the goal of ensuring that responsibilities are clear, information is effectively communicated, priorities are coordinated, and proper oversight is provided. Each “layer” of the governance structure has unique meeting, reporting, and action cadences to help ensure consistent communication between our security working groups, our leadership team, and our Board of Directors.
On at least a quarterly basis, Tyler’s CISO provides a formal report to the Audit Committee and to the Board of Directors. Our Audit Committee Chair and CISO also communicate on an as-needed basis between those quarterly reports. In 2022, Tyler’s Lead Independent Director completed the requirements to receive the CERT Certificate in Cybersecurity Oversight from the Software Engineering Institute at Carnegie Mellon University. Another Tyler director possesses more than 37 years of Department of Defense experience in cyberspace operations and major computer network architectures.
22
Tyler’s governance practices are supported by several segments of Tyler’s senior leadership, management, and teams. This includes security working groups and a security governance committee. The security governance committee, which meets on a quarterly basis to review the threat landscape and security initiatives at Tyler, is led by the CISO and includes senior leadership from Tyler’s legal and operational teams, as well as the president of each of Tyler’s three operating groups and Tyler’s President & CEO.
Operationalizing Cybersecurity Risk Management
We firmly believe – and communicate regularly – that all Tyler team members have a vital role to play in cybersecurity risk management. We identify their responsibilities as falling into three key areas:
•Participating in training to identify and promptly report risks;
•Staying informed by reading all pertinent information and security communications; and
•Actively engaging in ongoing training initiatives.
We observe Cybersecurity Awareness month with interactive weekly training, workshops, and additional resources on strong cybersecurity practices. In addition to Cybersecurity Awareness month, additional cybersecurity training and awareness initiatives occur throughout the calendar year, including annual security compliance training; a monthly Cybersecurity Awareness Series composed of articles and training highlighting current cybersecurity concerns; company-wide communication as necessary to alert team members of potential threats; and weekly security-related videos with opportunities to win prizes through participation. We track participation in training events and boast high participation rates, with continuous reflection on strategies for driving participation yet higher.
In 2022, we expanded our Security Champions Program to identify a resource on our various application teams who proactively operationalizes security best practices on their team. This program helps to ensure that security measures are built into our programs from development to deployment. We have over 100 security champions who can collaboratively advocate security tools throughout the lifecycle of our applications.
Measuring Cybersecurity Risks
In order to evaluate whether a cybersecurity risk is material to Tyler, we take a multi-disciplinary approach to assessing qualitative and quantitative factors. The cross-functional team includes senior leadership from Tyler’s information security, legal, finance, and accounting teams, as well as senior leadership from the impacted business unit(s).
When an incident is reported, Tyler assembles its incident response team and initiates its incident response process as soon as possible. Working with the incident response team, the CISO aims to take an initial measurement of qualitative and quantitative metrics, typically within 24 hours of the incident report, to help determine whether Tyler’s Chief Financial Officer (“CFO”) and Chief Accounting Officer (“CAO”) should be engaged to do a deeper analysis of quantitative factors. The CFO and CAO are expected to engage with the Company’s Chief Legal Officer (“CLO”) and Audit Chair to evaluate, holistically, not just the quantitative factors but the qualitative factors as well. If that team determines that the incident may represent a risk of national security, the CLO may contact the US attorney general for a disclosure delay of up to 30 days, or if applicable the team may coordinate to prepare and publish an 8-K, if management believes the materiality threshold has been reached. Whether or not the incident is deemed material, the incident response team will monitor the incident on an ongoing basis to attempt to ensure containment, mitigation, and remediation, as well as to monitor for evolving factors that subsequently push the incident to a materiality threshold that requires disclosure and reporting.
Quantitative metrics for evaluating a security incident include the potential or actual financial loss, the costs of impacted data records, remediation costs, and/or third-party expenses. Qualitative factors include potential or actual impacts to Tyler’s reputation and/or competitiveness, disruptions to Tyler’s business, and/or risk of litigation or regulatory action. In evaluating an incident, Tyler also works to assess whether the incident is related to another recent incident and whether the incident may represent a threat to national security. Tyler does not expect an incident to rise to that level unless Tyler infrastructure is deemed “critical infrastructure” by the Cybersecurity and Infrastructure Security Agency (“CISA”).
Notwithstanding these ongoing efforts and our multi-layered approach to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While Tyler maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured.
Please see Item 1A, “Risk Factors,” for a discussion of cybersecurity risks.
23