PEGASYSTEMS INC - (PEGA)
10-K Filing Date: February 14, 2024
ITEM 1C. CYBERSECURITY
We recognize the critical importance of maintaining the safety and security of our systems and data, and have a holistic approach for overseeing and managing cybersecurity and related risks. Our Board of Directors (the “Board”), the Audit Committee of the Board (the “Audit Committee”), and our management are actively involved in the oversight of our risk management program, of which cybersecurity represents an important component. We have established policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats. A key component of this is our standing Security Steering Group (“SSG”) whose members include, among others, our Chief Information Security Officer (“CISO”), Chief Product Officer, and Chief Technical Systems Officer. We have devoted significant financial and personnel resources to implement and maintain security measures to meet regulatory requirements and customer expectations, and we intend to continue to make significant investments to maintain the security of our data and cybersecurity infrastructure. There can be no guarantee that our policies, standards, processes, and practices will be properly followed in every instance or that they will be effective.
22
Although we are not aware of having experienced any prior material data breaches, regulatory non-compliance incidents, or cyber security incidents, we may in the future be impacted by such an event, exposing our clients and us to the risk of someone obtaining access to our information, to the information of our clients or their customers, or to our intellectual property, disabling or degrading service, or sabotaging systems or information. Any such security breach could result in a loss of confidence in the security of our services, damage our reputation, disrupt our business, require us to incur significant costs of investigation, remediation, and/or payment of a ransom, lead to legal liability, negatively impact our future sales, and result in a substantial financial loss. For additional information, see "Item 1A. Risk Factors" of this Annual Report.
Risk Management and Strategy
Our policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization, and certain other applicable industry standards.
Our cybersecurity program focuses on the following key areas:
Collaboration
We have implemented a governance structure and processes to aggregate reported cybersecurity risks on behalf of Pega Cloud, Pega’s software products, and the corporate environment. Our SSG is responsible for providing strategic direction for implementing and maintaining our cyber risk management program.
Risk Assessment
Our cyber risk management program is designed to follow the ISO 31000 and the NIST Special Publication 800-37 frameworks and is in the scope of our ISO 27001 certifications.
At least annually, we conduct cybersecurity risk assessments that consider information from internal stakeholders, known information security vulnerabilities, and information from external sources, such as reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants. The results of the assessments are provided to our SSG and are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and inform our broader enterprise-level risk assessment. Key findings of these assessments are periodically presented to the Board and the Audit Committee.
Technical Safeguards
We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence, and incident response experience.
Incident Response and Recovery Planning
We have implemented Cyber Incident Response Programs, which are in the scope of our ISO 27001 certifications. We have also implemented Business Continuity Programs, which are in the scope of our ISO 22301 certification. We have established comprehensive incident response and recovery plans and test and evaluate the effectiveness of those plans regularly.
Third-Party Risk Management
We have implemented a Vendor Cybersecurity Risk Management Program (“VCRMP”), which is in the scope of our ISO 27001 certifications. The VCRMP controls are designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. These providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in making these risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities, and investigate security incidents that have impacted our third-party providers, as appropriate.
Education and Awareness
We require all employees to participate in security awareness training, including frequent phishing tests. Currently, our mandatory employee training courses include Security Awareness, Physical Security Awareness, Mobile Device Security, Business Continuity and Phishing, Work From Home, and AI Chatbot. In addition, all of our employee software developers are required to take additional security awareness training, currently including Secure Development. We periodically adjust the list of mandatory and optional courses.
Corporate Security Posture
We periodically conduct independent security assessments to assess its security posture and to inform where cyber security investments should be made. For systems in our corporate environment on which our cloud certifications have an operational dependency, we also maintain ISO/IEC 27001 certifications relating to overall IT processes and controls and ISO 22301 certification relating to business continuity.
23
Product Security Posture
To facilitate identification of security vulnerabilities in our products, we periodically conduct third party penetration tests and participate in the independent Verified By Veracode program, as detailed on its website (https://www.veracode.com/verified/directory/pegasystemsInc) which is included as an inactive reference and the content of which is not incorporated by reference into this Annual Report. We also generate a monthly software bill of materials that identifies open source included in certain of our product offerings and periodically have an independent security assessment firm evaluate the security risks linked to suppliers we use, including source code repositories, the infrastructure employed for software development, and the mechanisms used for software delivery, such as Amazon Web Services (“AWS”), Google Cloud, and Microsoft Azure. Our Chief Product Officer reviews these findings and provides updates to our SSG.
We regularly release new versions of our products to address identified security vulnerabilities, enabling clients to stay updated with the latest product releases. However, even after we make these updates available, it is possible that clients do not implement these updates or use products on extended support that do not include security updates.
Pega Cloud Security Posture
Pega Cloud undergoes several security assessments a year. Redacted versions of these reports are made available to our clients. Pega Cloud also maintains several security certifications, which are listed at http://pega.com/trust which is included as an inactive reference and the content of which is not incorporated by reference into this Annual Report.
Pega Cloud for Government is rated FedRAMP Moderate and undergoes several security assessments a year as part of the FedRAMP certification process.
Our Chief Technical Systems Officer reviews these assessments and provides updates to our SSG.
Governance
Board Oversight
As part of our corporate governance process, the Board, along with the Audit Committee, oversees our risk management process, which includes cybersecurity and related risks. Our CISO periodically meets with the Board and Audit Committee to inform and update them on our cybersecurity program.
SSG and Key Personnel
We have a standing SSG whose members include, among others, our CISO, Chief Product Officer, and Chief Technical Systems Officer. The SSG is charged with providing strategic direction for the implementation and ongoing operation of our cyber security program. The SSG meets at least quarterly. Our CISO chairs the SSG and decisions and recommendations are based on a consensus of the members.
Our CISO has twenty years of professional experience, with eleven years specifically in information security roles. He has been with Pega for four years and has a Master of Science degree from Northwestern University.
Our Chief Product Officer has been with Pega for thirty-one years, has extensive experience in software development, and has a Bachelor of Science from the Indiana University of Pennsylvania.
Our Chief Technical Systems Officer has been with Pega for six years and has twenty-five years of technology management experience, with thirteen years of leadership roles in cloud services and related information security issues, and served in the U.S. Navy and holds a degree in Business Administration from the College of Technology at the State University of New York – Farmingdale.