CSG SYSTEMS INTERNATIONAL INC - (CSGS)
10-K Filing Date: February 16, 2024
We are committed to protecting our information assets and systems from cybersecurity threats and ensuring compliance with applicable laws and regulations. Despite our commitment to protecting our systems, data and assets, we know that networks and systems are subject to the risk of an extended interruption, outage, or security incident due to many factors including, without limitation: (i) changes to our systems and networks for such things as scheduled maintenance and technology upgrades, or conversions to other technologies, service providers, or physical location of hardware; (ii) failures or lack of continuity of services from public cloud or third-party data center and other service providers; (iii) defects and/or critical security vulnerabilities in software programs; (iv) human and machine error; (v) acts of war and/or nature; (vi) intentional, unauthorized attacks from computer “hackers” or other cybersecurity attacks; and (vii) using the systems to perpetrate identity theft through unauthorized authentication to our customers’ customers’ accounts. In the following sections we describe how we identify, assess, and manage material risks related to cybersecurity, and how our Board of Directors (the “Board”) oversees our cybersecurity program.
We believe we have implemented a cybersecurity program that is aligned with the ISO 27001 framework, SEC regulations, and industry best practices. It is our goal to identify and manage material risks related to cybersecurity and implement effective controls and measures to mitigate such risks. The Board endeavors to provide effective oversight and governance of our cybersecurity program and ensure that our cybersecurity program supports our strategic objectives and risk appetite.
Although we take reasonable and effective measures to ensure the protection of any data that is stored, processed, or transmitted through our systems, we know that attackers have the means, motives, and opportunities to attack. As of the date of this filing we are not aware of any material risks from cybersecurity threats, that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. In addition, we maintain controls and procedures that are designed to ensure prompt escalation of critical cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Board in a timely manner. Please refer to “Item 1A. Risk Factors” for further information about the material risks associated with various cybersecurity threats.
Risk Management and Strategy
Our cybersecurity risk management process is aligned with our enterprise risk program. We continuously identify, assess, treat, and monitor cybersecurity risks and report those risks on a periodic and as-needed basis to executive management and the Board. We use various sources of information, including internal and external audits, tabletop exercises, threat intelligence, vulnerability scans, penetration tests, customer and employee feedback, and industry benchmarks, to identify and mitigate our cybersecurity risks. We will also engage third-party services, from time-to-time, to conduct evaluations of our security controls, whether through penetration testing, independent audits, or consulting on best practices to address new challenges. Additionally, we evaluate trends in the legal and regulatory environment and consider business drivers, emerging threats, and technology changes to identify risks across our people, processes, and technology. We then assess our current controls and capabilities to mitigate those risks and develop action plans to address any identified gaps or weaknesses. Action plans are prioritized and implemented with monitoring of completion and effectiveness against the identified risks. We also monitor our performance and progress against various key indicators and objectives based upon ever-changing risks and provide ongoing updates to relevant stakeholders, including executive management and the Board.
We leverage the ISO 27001 framework for cybersecurity risk management. Our cybersecurity risk management strategy is frequently reviewed and adapted to address and meet current and emerging threats. Risk treatment plans are strategically prioritized and executed, and residual risks are reported through our enterprise risk program and elevated to executive management and the Board.
20
Our cross-functional Information Security Steering Committee (“ISSC”) is the senior management team that oversees the direction, execution, and effectiveness of our cybersecurity program, policies and procedures including: cyber risks, mitigations, risk treatment plans, incident response plans, compliance with applicable regulations, and ensuring business-aligned cybersecurity objectives. The ISSC is chaired by our Chief Information Security Officer (“CISO”) and consists of representatives from risk, compliance, internal audit, IT, accounting, finance, legal, and other key executives, including our Chief Information Officer (“CIO”) and Chief Financial Officer. The ISSC meets quarterly to guide, direct, and monitor the performance and effectiveness of our cybersecurity program and elevates risks and mitigation plans, as appropriate, to the Board.
Governance
Overall Risk Approach
The Board is responsible for oversight of our risks, including establishing our risk appetite and overseeing our risk management framework. The Board recognizes that effective risk oversight is important to the success of our strategy and is an integral part of exercising its fiduciary duties with respect to the Company and our stockholders. The Board believes our current leadership structure facilitates its oversight of risk by combining independent leadership through the Board with executive management members who have an intimate knowledge of our business, industry, and challenges.
Cybersecurity Risk Management and Oversight
The Board is responsible for overseeing the Company’s cybersecurity program and ensuring that it is aligned with our strategic goals and risk appetite. The Board has diverse expertise on topics including accounting and financial management, corporate governance, global business, technology and innovation, human capital management, ESG and cybersecurity. The Board also reviews the strategic direction of the Company’s cybersecurity program and ensures that adequate resources and budget are allocated to address cybersecurity threats.
The Board exercises its cyber risk oversight primarily through executive management, our CIO and our CISO. Our CIO and CISO have expertise in the areas of information security and cybersecurity, through decades of management, prominent cybersecurity training, and real-world experience. Intimate knowledge of best practices, incident response, technologies, and IT and business processes enable the management team to be effective in their approach.
The Board also has a standing committee (the “Cybersecurity Committee”) that advises it on cybersecurity matters and provides strategic guidance and direction for our cybersecurity program. The Cybersecurity Committee convenes as necessary to address critical or emerging cybersecurity concerns and to ensure alignment on approach. Our CIO and CISO collaborate with the Cybersecurity Committee and report to the entire Board on a quarterly basis, or more frequently as needed. Additionally, the Cybersecurity Committee reviews the outcomes of our regular tabletop exercises with our CIO and CISO and ensures that lessons learned have been incorporated into the overall strategy.