XBP Europe Holdings, Inc. - (XBP)
10-K Filing Date: April 01, 2024
Risk Management and Strategy
The Company has developed and maintained a comprehensive cybersecurity program which is integrated within the Company’s enterprise risk management program and encompasses the corporate and operational technology environments, as well as client-facing products and services. Our cybersecurity program has implemented a governance structure and process to identify, assess, manage, mitigate, respond to and report on cybersecurity incidents and risks within an ever-changing threat landscape. We utilize cybersecurity policies and frameworks based on industry and government standards, including the National Institute of Standards and Technology Cyber Security Framework (“NIST CSF”). This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
Our cybersecurity program includes an incident response plan, which establishes (1) a framework for classifying security incidents according to their severity level, taking into account the nature and scope of the incident; and (2) protocols for the escalation of incident. The Company operates a 24 x 7 security operations center (“SOC”) which monitors our global cybersecurity solutions and production environments, and serves as a central location for the reporting of cybersecurity matters. The roles and responsibilities of the SOC and our cybersecurity team in the incident response context are established by the incident response plan, as well as in associated playbooks and other procedural documentation.
We partner with third parties to support and evaluate our cybersecurity program. Provided third-party services span areas including cybersecurity maturity assessments, incident response, penetration testing and consulting on best practices. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those who have access to our data or our systems. Third-party risks are included within our risk assessment of vendors, as well as our cybersecurity-specific risk identification program. In addition, cybersecurity considerations affect the selection and oversight of third-party service providers. We perform diligence on third parties, particularly those that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence.
We also implemented a cybersecurity awareness program which covers topics such as phishing, social networking safety, password security and mobile device usage. We communicate these and other pertinent security issues or compliance changes through our regular internal communications cadence. Additionally, the Company has mandatory security awareness training addressing cybersecurity, privacy and confidential information.
In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. In June 2022, ETI experienced a previously disclosed network security incident which had material adverse impact and required ETI to, among other things, limit access to its applications and services by its employees and customers. In response, ETI incurred considerable costs to restore the security of its internal systems and networks and adopted various enhancements. If we were to experience a material cybersecurity incident in the future, such incident may have a material effect, including on our business strategy, operating results or financial condition. Please refer to “Item 1A. Risk Factors” for further information about the material risks associated with various cybersecurity threats.
Governance
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to its Audit Committee oversight of cybersecurity and other information technology risks. Our Audit Committee oversees management’s ongoing activities related to our cybersecurity risk management and compliance programs.
39
Our cybersecurity program is led by our Chief Technology Officer (“CTO”), who has two decades of experience in various cybersecurity, software development, product management, and other technology-related roles. Our CTO oversees teams across the company supporting our security functions of identify, prevent, detect, respond, and recover. These teams are comprised of personnel with a broad range of experience across the private and public sectors, the technology industry, and different geographic regions.
Our Audit Committee receives periodic reports from our CTO and management on our cybersecurity risks and the current threat landscape trends. In addition, management will update the Board directly, as necessary, regarding cybersecurity incidents. The full Board also receives presentations on cybersecurity topics from our CTO and other security management staff as part of the Board’s continuing education on topics that impact the Company.