ANSYS INC - (ANSS)

10-K Filing Date: February 21, 2024
ITEM 1C.CYBERSECURITY
Risk Management and Strategy
We are subject to various cybersecurity risks in connection with our business. See the section entitled “Cybersecurity Risks” in Part I, Item 1A. Risk Factors of this Annual Report on Form 10-K. Our cybersecurity program is led by an experienced team of cybersecurity professionals headed by our Vice President of Cybersecurity, reporting to our General Counsel.
Our Cybersecurity Management System (CSMS) is part of our cybersecurity program and operates under the Ansys CSMS Risk Management Methodology and Policy (Policy), which establishes a process to identify, assess and mitigate potential cybersecurity threats. The Policy provides for conducting risk assessments to identify Ansys information assets (such as software assets or data), identifying potential vulnerabilities related to those assets, assessing the potential impact should the vulnerability be exploited and working with our internal cybersecurity team to provide recommendations to eliminate or mitigate the potential risk. The risk assessments allow our management to validate threats and investigate potential vulnerabilities to more effectively make risk management decisions and assign resources to mitigate risk.
Our CSMS uses third-party software to identify and prioritize cybersecurity threats and has dedicated personnel whose core responsibilities are to document and track cybersecurity threats. We use security technology tools and methodologies to protect our information systems. We also use tools for risk and vulnerability management and perform periodic penetration testing and vulnerability scanning. Further, we provide our employees information security awareness training upon hire and annually thereafter.
We conduct an enterprise risk assessment that is updated on an annual basis and includes periodic monitoring of new and emerging risks and preparation for and progress on mitigation efforts. Cybersecurity is directly integrated into this process as an operational risk and has been classified within the enterprise risk management program based on the risk assessment. Any identified gaps are incorporated and monitored through a cybersecurity roadmap, with progress reported to management. Controls put in place to manage any identified risks are evaluated against an established risk-mitigation framework.
We engage multiple third-party consultants to advise us on our cybersecurity processes. We conduct external, third-party assessments of our cybersecurity program against specified industry frameworks, as well as annual re-assessments designed to help us understand program changes and the impact that they have had on overall program maturity. Additionally, we engage an external third-party penetration testing entity to measure the effectiveness of our cybersecurity strategy against cybersecurity threats.
Lastly, we use third-party intelligence resources to help identify cybersecurity threats via finished intelligence, alerts and consulting services that help answer requests for information. We have collaborative relationships with The Information Technology - Information Sharing and Analysis Center and several governmental agencies for identification of threats that target technology.
Ansys also has an established Third-Party Risk Management Program and Policy that is designed to identify and manage cybersecurity risks associated with third-party service providers. The program includes processes designed to identify, assess and mitigate and/or manage third-party service provider risks. Under the Third-Party Risk Management Program and Policy, we evaluate third-party service providers through five stages: planning, due diligence, contracting/onboarding, ongoing monitoring and termination/off-boarding.
We have in the past, and may in the future, experience cybersecurity incidents. Although prior incidents have not materially affected Ansys, future incidents from cybersecurity threats could have a materially adverse impact on us, including on our reputation, the results of our operations and our financial condition and could implicate lawsuits and potential civil liability, as well as regulatory fines and non-financial penalties.
32

Governance
Our cybersecurity program is overseen by the Audit Committee of the Ansys Board of Directors. This oversight is anchored in the Audit Committee’s charter, which specifically grants the Audit Committee oversight responsibility on our risks related to cybersecurity, including a review of the state of our cybersecurity program, emerging cybersecurity developments and threats and our strategy to mitigate cybersecurity risks. The Senior Director of Internal Audit and Risk Management, with input from the Vice President of Cybersecurity, reports on the status of the cybersecurity program to the Audit Committee and, periodically or where appropriate, to the Ansys Board of Directors. These reports generally include recent updates and improvements to the cybersecurity program, information on the cybersecurity program’s status and intelligence on recent cybersecurity threats, actions we have taken to mitigate such threats and recent material incidents, or potentially material incidents, if any. In addition, the Senior Director of Internal Audit and Risk Management reports to the Audit Committee on the enterprise risk management program, which includes risks associated with cybersecurity.
Our cybersecurity program, and its associated CSMS, is led by an experienced team of cybersecurity professionals headed by the Vice President of Cybersecurity. In the event of a cybersecurity incident, we have a dedicated Cybersecurity Incident Response Team that is responsible for identifying, escalating, responding to and managing cybersecurity incidents, including interdiction and remediation, as well as conducting the initial investigation, gathering and analyzing data, mitigating damage to the informational assets and infrastructure of Ansys, restoring normal services and system integrity and implementing actions designed to prevent future cybersecurity incidents. This team reports to the Vice President of Cybersecurity. In the event of a significant cybersecurity incident, a cross-functional team comprised of cyber, legal and finance personnel work together to determine the materiality of an incident.
Our Cybersecurity Steering Committee, which includes the Vice President of Cybersecurity and several members of management, is responsible for the oversight of our cybersecurity program. The Vice President of Cybersecurity has over 20 years of experience in cybersecurity. Members of this committee include our General Counsel, Chief Financial Officer and the Senior Director of Internal Audit and Risk Management, all of whom have significant experience in managing enterprise risk, including risk from cybersecurity threats. The Cybersecurity Steering Committee meets routinely to discuss the status of the cybersecurity program, the status of responses to cybersecurity incidents or threats, any updates on certification programs and any emerging cybersecurity threats. Information received by management through the Cybersecurity Steering Committee is regularly included in the quarterly updates to the Audit Committee.