MANHATTAN ASSOCIATES INC - (MANH)

10-K Filing Date: February 05, 2024
Item 1C. Cybersecurity

We believe Manhattan has appropriate processes for assessing, identifying, and managing material risks from cybersecurity threats. Those processes are embodied in our enterprise-wide Cyber Risk Management Program (the “Cyber Program”), which includes our cybersecurity governance structure and our cybersecurity strategy and processes.

Governance Structure

Board Oversight. Our Board of Directors has delegated oversight of our Cyber Program to the Board Audit Committee. Despite that delegation, the full Board also remains informed, through quarterly presentations to the full Board by our Chief Financial Officer or their designee (or more frequently as necessary), followed by the opportunity for Q&A and discussion, on the status of the Cyber Program. The presentations cover, among other things, our cyber incident experience, ongoing cyber threats, material risks, deployment of cybersecurity controls and risk mitigants, engagement of third parties (e.g., consultants and auditors) and third-party tools, our cyber insurance coverages, and our employee-training programs. If further Board engagement on cybersecurity matters is required, management, through the CEO, CFO or CLO, communicate directly with the Audit Committee chair, who engages the Audit Committee as they deem appropriate.

Management’s Assessment and Management of Cybersecurity Threats. Members of Manhattan’s executive management team, along with others from Company senior management, and others with varying areas of expertise, are engaged as part of our Cyber Program:

20


 

Chief Financial Officer and Chief Information Officer – Direct management of our Cyber Program falls within our Information Technology department, which reports up through our CIO, who reports to our CFO. Both our CIO and CFO have familiarity and oversight experience, appropriate for their positions, regarding general cybersecurity matters and threats affecting business-to-business software and cloud services vendors such as Manhattan. The CFO is a member of our Disclosure Committee, which is responsible for determining whether a Cybersecurity Incident is “material” for purposes of publicly reporting cybersecurity incidents, and is a member of our “Core Response Team” under the Company’s Crisis Response Program. Our CFO also chairs our management Cybersecurity Committee.
Chief Legal Officer – Our CLO has experience providing legal advice regarding cybersecurity-related programs as well as engaging with outside advisors and insurance brokers and underwriters on cybersecurity coverage, claims, and loss mitigation. Our CLO also is member of the Disclosure Committee and the Core Response Team.
Senior Director, Global Security – Our Senior Director, Global Security, has managed our Cyber Program for seven years. He manages its day-to-day operations, oversees our security analysts and engineers, and leads our Cybersecurity Committee meetings. He is trained in cybersecurity strategy, planning, and execution and holds industry recognized security certifications, including Certified Information Systems Security Professional (CISSP) from the International Information System Security Certification Consortium (ISC2) and Certified Information Security Manager (CISM) from the Information Systems Audit and Control Association (ISACA).
Cybersecurity Committee – Members include, in addition to the CFO and SD, Global Security, business representatives of Manhattan’s material business lines and administrative departments, cyber-risk operational heads from our material business lines, and our VP, Contracts and Administration (or their designee). The Cybersecurity Committee’s purpose is to review cybersecurity risks, discuss emerging threats, prioritize cybersecurity efforts, and make recommendations to leadership.
Crisis Response Team – Pursuant to our Crisis Response Program, our Crisis Response Team, which comprises the CLO, CFO, Chief People Officer and Chief Marketing Officer, and an expanded team from our material business lines and administrative departments, as well as outside advisors/experts (cyber forensics, external legal counsel, law enforcement, public relations), is charged with managing the Company through a cybersecurity incident (or other event or series of events) that rise to the level of a Company “crisis.” The Program includes protocols by which the CLO, on behalf of the Team, will report to or engage the CEO and the Chairman of the Board if and when an incident becomes a crisis or potential crisis.
Other Roles – The Cyber Program includes engagement of other Company management employees and outside service providers to oversee or perform specific roles in connection with cybersecurity risk assessment and management, and incident management. That includes risk and security heads from our material business lines who implement and administer policies specific to those business lines and independent auditors to certify compliance with the Company’s internal control over financial reporting, the American Institute of Certified Public Accountants’ Systems and Organization Controls (SOC 2) security framework, and the Federal Government’s Federal Risk and Authorization and Management Program (FedRAMP) criteria for federal use of cloud services. We also conduct reviews for compliance with data protection regulation such as Europe’s General Data Protection Regulation (GDPR) and regulation of various U.S. states such as the California Consumer Privacy Act (CCPA).

 

Risk Management and Strategy

 

Overview of Processes for Assessing, Identifying, and Managing Material Cyber Risks.

The principal objectives of our Cyber Program are to minimize the risks associated with cybersecurity threats to our business operations, financial performance and financial condition, and protect the confidential information, intellectual property, and other assets of Manhattan, and those of our customers, vendors, partners, employees, and consumers that can be at risk due to cybersecurity threats to Manhattan.

Manhattan has incorporated industry recognized cybersecurity frameworks and standards into its Cyber Program, including frameworks from the National Institute of Standards and Technology (NIST) and security control auditing protocols from the Center for Internet Security (CIS) and the International Organizations for Standardization (ISO). Recognizing that the nature of cybersecurity threats and the particular threat vectors we face continually change, we continue to invest in updating and enhancing our Cyber Program. Annually, as part of Manhattan’s budgeting process, our Senior Director, Global Security, submits to our CIO their recommendations for Cyber Program enhancements, including the associated capital requests, for inclusion in the CIO’s proposed IT budget. Those recommendations are then evaluated at the executive level, taking into account the projected return on investment and the anticipated enhancement of our cybersecurity risk profile.

21


 

Under our Cyber Program, our Senior Director, Global Security, and the staff. along with our management-led Cybersecurity Committee, with input where appropriate from our third-party advisors, work to identify our cybersecurity threats, assess the risks, and deploy appropriate technologies and processes to mitigate the risks. When cybersecurity incidents occur, these resources work to manage through the incident utilizing advanced security tools and playbooks, and in accordance with processes set out in various Company policies and practice documents, which include internal communications protocols to keep the executive team and, where appropriate, the Audit Committee and Board, informed. Pertinent policy and practice documents include, among others, Manhattan’s Incident Response Policy, our Incident Escalation Matrix, our Materiality Determination Process for Cybersecurity Incidents (governing the Company’s materiality determination for reporting purposes) and our Crisis Response Plan.

As an important cybersecurity risk mitigant, Manhattan provides mandatory training to its new hires and quarterly training of its employees, including phishing simulation tests and follow-up tests as needed, along with monthly cybersecurity newsletters and other cyber risk-related communications.

Integration into Overall Risk Management System or Processes. Our risk management systems and processes comprise numerous components, including published policies and procedures, risk detection systems, tools, and protocols (automated and human), internal and external independent auditing, management committee review, defined lines of communications, employee training, engagement of outside advisors and experts, assessment and utilization of both commercial and self-insurance opportunities, customer contract standardization where possible, legal review of vendor engagements and new products for regulatory compliance, regular operations reviews with the CEO, and Board (and Board Committee) oversight. Manhattan utilizes the foregoing systems and processes to best ensure effective management of our risks and associated cybersecurity threats. The CFO or their designee reports to the full Board at least quarterly on the status of our Cyber Program.

Engagement of Third Parties. As part of its Cyber Program, Manhattan engages outside independent auditors, consultants, and professional advisors. We also engage industry-leading cybersecurity service and systems providers to assist with protection from and detection of cybersecurity threats and incidents and our responses to them.

Risks from Third Party Service Providers and Others. Manhattan’s cybersecurity team, under the oversight of the Senior Director, Global Security, performs risk assessments on third party service providers and other third parties (such as partner companies), as well as third party software and hardware utilized in its operations, that may have the potential to create cybersecurity threats to our data and operations.

Risks from Cybersecurity Threats—Likely Material Impact. See Item 1A, ”Risk Factors—Risks Related to Our Intellectual Property and Cybersecurity.” We do not believe any risks from previous cybersecurity threats have materially affected or are reasonably likely to materially affect Manhattan.