10-K Filing Date: February 14, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Cybersecurity risk management is an integral part of our overall enterprise risk management program. Our cybersecurity risk management program, which is managed by Cognizant’s Corporate Security team, is designed to identify, assess and manage risks from cybersecurity threats and provides a framework for handling cybersecurity threats and incidents. The program is also aligned with the risk assessment framework that has been established by the enterprise risk management team.
Our cybersecurity risk management framework includes steps for assessing the severity of a cybersecurity threat (including an escalation process for potentially material cybersecurity threats and incidents to an internal committee comprised of members of senior management), identifying the source of a cybersecurity threat (including whether the cybersecurity threat is associated with a third-party service provider), implementing cybersecurity countermeasures and mitigation strategies. The internal committee is responsible for assessing the materiality of cybersecurity threats and incidents and informs designated members of executive leadership and of the Board of Directors of material cybersecurity threats and incidents.
Cognizant's cyber risk management program is periodically audited as part of external certification audits. We also engage third-party cybersecurity experts to assist with risk assessment and conduct penetration testing among other items. Key findings from the audits and third-party risk assessments are summarized and communicated to the Company’s senior leadership and the Audit Committee, and remediation actions are implemented to enhance our overall cybersecurity program.
We require our vendors to comply with privacy and cybersecurity requirements, and we perform risk assessments of vendors, including their ability to protect data from unauthorized access. We include data protection and security content as part of annual training required of employees.
In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. In 2020, we experienced a previously-disclosed cybersecurity incident that resulted in unauthorized access to certain data and caused significant disruptions to our business operations. In response, we engaged leading outside forensics and cybersecurity experts, launched a comprehensive containment and remediation effort and forensic investigation, restored the security of our internal systems and networks and adopted various enhancements to the security of our systems and networks.
As part of our overall enterprise risk management program, we prioritize the identification and management of cybersecurity risk at several levels. Our Board of Directors has overall oversight responsibility for our risk management, and delegates cybersecurity risk management oversight to the Audit Committee, which is responsible for ensuring that management has processes in place designed to identify and evaluate cybersecurity risks and implement processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents. The Audit Committee previously utilized an IT Cybersecurity Subcommittee, comprised of members of the Audit Committee, to assist in carrying out a portion of these responsibilities. In December 2023, the Audit Committee transitioned away from use of the subcommittee structure. At all times, the full Audit Committee has maintained and continues to maintain oversight responsibility for cybersecurity risk management.
Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs.
Our cyber risk assessment program is managed by our Corporate Security team, which is led by our CSO, who has over 25 years of experience in the cybersecurity and technology industry. The CSO reports to Cognizant's Executive Vice President, General Counsel, Chief Corporate Affairs Officer and Secretary. The CSO manages multiple teams within Corporate Security that are operationally responsible for the security of the Company, including Global Cyber Operations, Business Information Security, Global Business Resilience and Integrated Risk Management, each of which provides regular updates to the CSO regarding cyber threat intelligence, cyber incidents and cyber risk metrics as part of their security responsibilities. The CSO works closely with the CIO, who is responsible for Cognizant's information technology and digital transformation strategy. Together, the CSO and CIO have a mutual set of responsibilities to align, implement, and govern security policies, standards, and technology controls throughout the enterprise. On a periodic basis, the CSO and CIO provide updates to the Audit Committee on, among other things, key cybersecurity metrics, status of projects to strengthen the Company's information security systems and assessments of the Company's security program. The Audit Committee reports to the Board of Directors, which also receives periodic updates on such matters.
December 31, 2023 Form 10-K