MANHATTAN ASSOCIATES INC - (MANH)
10-K Filing Date: February 05, 2024
We believe Manhattan has appropriate processes for assessing, identifying, and managing material risks from cybersecurity threats. Those processes are embodied in our enterprise-wide Cyber Risk Management Program (the “Cyber Program”), which includes our cybersecurity governance structure and our cybersecurity strategy and processes.
Governance Structure
Board Oversight. Our Board of Directors has delegated oversight of our Cyber Program to the Board Audit Committee. Despite that delegation, the full Board also remains informed, through quarterly presentations to the full Board by our Chief Financial Officer or their designee (or more frequently as necessary), followed by the opportunity for Q&A and discussion, on the status of the Cyber Program. The presentations cover, among other things, our cyber incident experience, ongoing cyber threats, material risks, deployment of cybersecurity controls and risk mitigants, engagement of third parties (e.g., consultants and auditors) and third-party tools, our cyber insurance coverages, and our employee-training programs. If further Board engagement on cybersecurity matters is required, management, through the CEO, CFO or CLO, communicate directly with the Audit Committee chair, who engages the Audit Committee as they deem appropriate.
Management’s Assessment and Management of Cybersecurity Threats. Members of Manhattan’s executive management team, along with others from Company senior management, and others with varying areas of expertise, are engaged as part of our Cyber Program:
20
Risk Management and Strategy
Overview of Processes for Assessing, Identifying, and Managing Material Cyber Risks.
The principal objectives of our Cyber Program are to minimize the risks associated with cybersecurity threats to our business operations, financial performance and financial condition, and protect the confidential information, intellectual property, and other assets of Manhattan, and those of our customers, vendors, partners, employees, and consumers that can be at risk due to cybersecurity threats to Manhattan.
Manhattan has incorporated industry recognized cybersecurity frameworks and standards into its Cyber Program, including frameworks from the National Institute of Standards and Technology (NIST) and security control auditing protocols from the Center for Internet Security (CIS) and the International Organizations for Standardization (ISO). Recognizing that the nature of cybersecurity threats and the particular threat vectors we face continually change, we continue to invest in updating and enhancing our Cyber Program. Annually, as part of Manhattan’s budgeting process, our Senior Director, Global Security, submits to our CIO their recommendations for Cyber Program enhancements, including the associated capital requests, for inclusion in the CIO’s proposed IT budget. Those recommendations are then evaluated at the executive level, taking into account the projected return on investment and the anticipated enhancement of our cybersecurity risk profile.
21
Under our Cyber Program, our Senior Director, Global Security, and the staff. along with our management-led Cybersecurity Committee, with input where appropriate from our third-party advisors, work to identify our cybersecurity threats, assess the risks, and deploy appropriate technologies and processes to mitigate the risks. When cybersecurity incidents occur, these resources work to manage through the incident utilizing advanced security tools and playbooks, and in accordance with processes set out in various Company policies and practice documents, which include internal communications protocols to keep the executive team and, where appropriate, the Audit Committee and Board, informed. Pertinent policy and practice documents include, among others, Manhattan’s Incident Response Policy, our Incident Escalation Matrix, our Materiality Determination Process for Cybersecurity Incidents (governing the Company’s materiality determination for reporting purposes) and our Crisis Response Plan.
As an important cybersecurity risk mitigant, Manhattan provides mandatory training to its new hires and quarterly training of its employees, including phishing simulation tests and follow-up tests as needed, along with monthly cybersecurity newsletters and other cyber risk-related communications.
Integration into Overall Risk Management System or Processes. Our risk management systems and processes comprise numerous components, including published policies and procedures, risk detection systems, tools, and protocols (automated and human), internal and external independent auditing, management committee review, defined lines of communications, employee training, engagement of outside advisors and experts, assessment and utilization of both commercial and self-insurance opportunities, customer contract standardization where possible, legal review of vendor engagements and new products for regulatory compliance, regular operations reviews with the CEO, and Board (and Board Committee) oversight. Manhattan utilizes the foregoing systems and processes to best ensure effective management of our risks and associated cybersecurity threats. The CFO or their designee reports to the full Board at least quarterly on the status of our Cyber Program.
Engagement of Third Parties. As part of its Cyber Program, Manhattan engages outside independent auditors, consultants, and professional advisors. We also engage industry-leading cybersecurity service and systems providers to assist with protection from and detection of cybersecurity threats and incidents and our responses to them.
Risks from Third Party Service Providers and Others. Manhattan’s cybersecurity team, under the oversight of the Senior Director, Global Security, performs risk assessments on third party service providers and other third parties (such as partner companies), as well as third party software and hardware utilized in its operations, that may have the potential to create cybersecurity threats to our data and operations.
Risks from Cybersecurity Threats—Likely Material Impact. See Item 1A, ”Risk Factors—Risks Related to Our Intellectual Property and Cybersecurity.” We do not believe any risks from previous cybersecurity threats have materially affected or are reasonably likely to materially affect Manhattan.