AGILYSYS INC - (AGYS)

10-K Filing Date: May 21, 2024
Item 1C. Cybersecurity.

We have an enterprise-wide information security program designed to identify, protect, detect and respond to and manage reasonably foreseeable cybersecurity risks and threats. To protect our information systems from cybersecurity threats, we use various security tools and third-party managed security services that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, internal reporting, monitoring and detection tools. We also evaluate the information security of potential partners and vendors as part of our selection process and attempt to negotiate adequate protections from such third parties when we enter into contracts with them. Although our security program is designed to identify, prioritize, assess, mitigate and remediate third party risks,, we rely on our partners and vendors to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful.

We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We use a widely-adopted risk quantification model to identify, measure and prioritize cybersecurity and technology risks and develop related security controls and safeguards. We conduct regular reviews and tests of our information security program and also leverage tabletop exercises, penetration and vulnerability testing, and third-party red team exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. We also engage an external auditor to conduct annual Security and Organizational Controls 2 (SOC 2) examination of the security controls for systems storing customer data. The external auditor also conducts an annual payment card industry (PCI) data security standard review of our security controls protecting payment information, as well as third-party penetration testing of our cardholder environment and related systems.

Our systems periodically experience directed attacks intended to lead to interruptions and delays in our service and operations as well as loss, misuse or theft of personal information (of third parties, employees, and our customers) and other data, confidential information or intellectual property, and we have experienced an unauthorized release of certain data. However, to date no cybersecurity incidents have had a material impact on our business, financial condition or results of operations, and we are not presently aware of any cybersecurity threats that are reasonably likely to materially affect us. Any significant disruption to our service or access to our systems could result in a loss of customer data and adversely affect our business and results of operation. Further, a penetration of our systems or a third-party’s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputation risk, which could have a material adverse effect on our business, financial condition and results of operations. See "Risk Factors — Cyber-attacks involving our systems and data could expose us to liability or harm our reputation and have a material adverse effect on our business.”

The Vice President and Chief Information Security Officer (CISO) leads the global information security organization responsible for overseeing our information security program. Our CISO has over 25 years of industry experience, including serving in similar roles

24


 

leading and overseeing cybersecurity programs at other public companies, and is a Certified Information Security Professional and Information Systems Security Architecture Professional. Team members who support our information security program have relevant educational and industry experience, including holding similar positions at large technology companies. Given the nature of our business, management is highly focused on identifying and managing cybersecurity risks, and our CISO and information security teams provide regular reports to senior management and other relevant teams on various cybersecurity threats, assessments and findings.

The Board has primary responsibility for oversight of the Company’s cybersecurity risks. The Audit Committee is also responsible for reviewing the Company’s information and cybersecurity risks and the steps that management has taken to protect against threats to the Company’s information systems and security, including results of periodic security assessments performed in conjunction with ongoing monitoring. The Audit Committee has formed a Cybersecurity Risk Subcommittee consisting of two independent directors to assist the Audit Committee in its oversight of cybersecurity risks. By its charter, all members of the Cybersecurity Risk Subcommittee must have a background or experience in information technology or cybersecurity and an understanding of cyber threats, risk mitigation and policy.

The results of our SOC2 and PCI assessments are reported to the Cybersecurity Risk Subcommittee. Both the Subcommittee and the Board receive regular reports from our CISO on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance. The Board also oversees our annual enterprise risk assessment, where we assess key risks within the company, including security and technology risks and cybersecurity threats.