Aspen Technology, Inc. - (AZPN)

10-K Filing Date: August 13, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
We prioritize risk management as a core component of our overall cybersecurity program. We regularly assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities and tests those systems pursuant to our cybersecurity policies, processes and practices. To protect our information systems from cybersecurity threats, we use various security tools that help us identify, escalate, investigate, resolve, and recover from security incidents in a timely manner. These efforts include:
an internal governance structure to identify, assess, and manage cybersecurity risks across the company in an integrated manner.;
cybersecurity incident management procedures designed to address the monitoring of systems for anomalous activity; identification of threats; assessment, prioritization, and escalation of incidents; response and recovery of systems; and continuous improvement;
29





technical controls to help ensure systems are protected from security threats and unauthorized or inappropriate access;
a vulnerability management and threat intelligence program that is designed to provide threat intelligence information to leadership and impacted business units;
monitoring and tracking key cybersecurity metrics;
a third-party risk management program designed to assess and mitigate risks associated with vendors, and other service provider organizations; and
cybersecurity awareness training for all employees, including additional training for specialized functions.
We partner with third parties to assess the effectiveness of our cybersecurity prevention and response systems and processes, including through the use of cybersecurity consultants, to conduct evaluations of our security controls and provide certifications for industry-standard security frameworks, such as ISO27001.
To date, we are not aware of cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. Refer to the risk factors captioned “Security or data privacy breaches, or disruptions of our information technology systems, and an increasingly complex regulatory landscape could adversely affect our business” and “Our software products are highly sophisticated and specialized, and a major product failure or similar event caused by defects, cybersecurity incidents or other failures, could adversely affect our business” in Part I, Item 1A. “Risk Factors” for additional description of cybersecurity risks and potential related impacts on us.
Governance
The Audit Committee of our Board reviews and oversees the implementation of our policies and procedures related to cybersecurity risk assessment and management.
Our Chief Security Officer (“CSO”) reports to the Audit Committee periodically on significant cybersecurity incidents and risks, as well as progress made on cybersecurity roadmap initiatives. The CSO also presents to the Board at least annually to address the current threat landscape, our readiness to meet those threats, and cybersecurity priorities and focus areas for the upcoming fiscal year.
The CSO may provide more frequent updates to the Board or the Audit Committee if necessitated by a security incident or other developments. The Audit Committee reports regularly to the Board regarding the committee’s oversight of cybersecurity risk matters.
We take a risk-based approach to cybersecurity and have implemented cybersecurity policies throughout our operations that are designed to address cybersecurity threats and incidents. In particular, the interim Chief Legal Officer and the CSO co-chair a periodic Cybersecurity Steering Committee (the “Steering Committee”) meeting to help ensure a strategic approach to assessing and mitigating cybersecurity risks. The Steering Committee is charged with:
providing ownership, oversight, and review of current and future information security risks;
reviewing, approving, and communicating information security policies, exceptions, standards, and processes to the relevant teams and employees and helping ensure business requirements are represented in Steering Committee discussions;
reviewing our approach to security initiatives to assess whether it is designed to meet appropriate risk thresholds and regulatory guidelines; and
providing strategic direction and sponsorship for cybersecurity investments, projects, and services.
The CSO, the interim Chief Legal Officer and the Chief Research & Software Development Officer are responsible for leading the assessment and management of cybersecurity risks. The current CSO has over 20 years of experience in information security.
30