AMERICAN SOFTWARE INC - (AMSWA)
10-K Filing Date: July 01, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
Description of Company’s processes for assessing, identifying and managing cybersecurity risks
The Company takes an integrated, holistic approach to managing risks that pose a significant threat to the Company’s business, which includes, but is not limited to its personnel, assets and revenue, as well as those of its clients and vendors. Those assets include systems, networks and data of our clients and our Company, as well as our employees, our application software, our confidential information and other forms of our intellectual property, among other examples. Cybersecurity threats are an important, but not all-inclusive, risk to the Company’s business.
The Company’s Enterprise Risk Committee provides high-level guidance and direction regarding the assessment, identification and management of cybersecurity risks. Key members of the Enterprise Risk Committee, such as our Chief Executive Officer, Chief Financial Officer and General Counsel, participate in all or substantially all of the meetings of the Committee and make decisions to address cybersecurity and non-cybersecurity risks across the enterprise on a prioritized basis. The Committee meets regularly, usually on a quarterly basis, to reassess the risks facing the Company, as cybersecurity and other risks change from time to time, both in their nature and potential impact to the Company. The Company identifies cybersecurity risks through a layered system of automated and human-staffed monitoring systems and controls, as well as through guidance from internal and external subject matter experts. Potential cybersecurity incidents are subsequently assessed through both automated and human-staffed systems and controls that prioritize event review based on their likelihood or probability of occurrence, together with their potential harm or impact.
Beyond identification and assessment, the Company uses automated and human-staffed monitoring and other systems to respond to and otherwise manage cybersecurity threats and potential cybersecurity incidents. The Company has developed and implemented practices and policies that will guide the Company through responding to actual and suspected cybersecurity incidents.
Training the Company’s personnel is a vital part of how the Company manages cybersecurity threat risks. Effective training can both prevent cybersecurity incidents from occurring and can also enable the Company to rapidly and effectively respond to an actual cybersecurity incident through fast reporting. Company personnel are required to participate in new hire, annual and monthly training. In regular town hall meetings, a member of our information security team speaks to the entire Company, focusing Company personnel’s attention on a specific risk or scenario in real-time, with the opportunity for Company personnel to ask questions. In addition, on an on going-basis, the Company’s information security team has and will test Company personnel to see how they respond to phish emails or similar communications that originate from the Company.
Integration into the Company’s overall risk management system or processes
To take a holistic perspective on risk, the Company’s processes regarding identification, assessment and management of cybersecurity risks are integrated into the Company’s overall risk management system and processes. As a result, as examples, the Company’s insurance programs, standard and negotiated contract terms with clients and vendors, operational processes, other procedures, and communication protocols in the event of a crisis take into account both cybersecurity threat and non-cybersecurity threat risks, with differentiation based on the nature of the risk.
Engagement of assessors, consultants, auditors, or other such processes by the Company
The Company engages outside consultants to conduct vulnerability scans and penetration tests to help the Company find and then mitigate cybersecurity threats. As noted above in Item 1 Business under the sub-heading Data Security, the Company also uses an external auditor to conduct an annual SOC 2 Audit.
Processes to oversee and identify such cybersecurity threat risks associated with third party service providers
The Company performs risk assessments on critical third party service providers, software and other tools used in the Company’s operations that may have the potential to create material cybersecurity threats to our business.
Cybersecurity Risk & Material Effects on the Company
The Company does not believe that any risks from past cybersecurity incidents have materially affected the Company or are reasonably likely to materially affect the Company. As to ongoing risks from cybersecurity threats, see Item 1A, ”Risk Factors.”
36
Governance
The Board’s oversight of risks from cybersecurity threats
The full Board of Directors receives a report from the Company’s Enterprise Risk Committee in connection with each of their quarterly, regularly scheduled meetings. Twice a year, an executive employee member of the Committee presents during those Board meetings, with the opportunity for the Board to ask questions and engage in discussions regarding risks and cybersecurity threats, and the Company’s plans and efforts to address them. The materials presented to the Board may include, among other topics, updates and information regarding risk controls and related initiatives, cybersecurity monitoring data, cybersecurity threats and related risks, our SOC 2 Audit, and cybersecurity insurance. Our Chief Executive Officer, our Chief Financial Officer, and our General Counsel, who are members of our Enterprise Risk Committee, regularly attend Board meetings and are available to liaise between the Board and the rest of the Enterprise Risk Committee, should the Board have additional questions or concerns that need to be addressed.
Management’s role in assessing and managing material risks from cybersecurity threats
The Company’s Enterprise Risk Committee, described above, includes our Chief Executive Officer, Chief Financial Officer, General Counsel and our Chief Technology Officer. Depending on the nature of the risk at issue, other managers and employees of the Company may participate in the work of the Enterprise Risk Committee. As to cybersecurity threat risks, the following individuals play a role:
•Chief Financial Officer and Executive Vice President Information, Technology & Risk – The Company’s information security and information technology team reports to our Chief Financial Officer (“CFO”). For example, our EVP Information, Technology & Risk reports to our CFO (“EVP, IT & Risk”). Our Chief Financial Officer and EVP, IT & Risk have familiarity with cybersecurity matters, appropriate for their position. Our EVP, IT & Risk is a member of our Enterprise Risk Committee as to cybersecurity threat risks and also participates in Board discussions regarding those risks.
•Manager, Information Security – Our Manager, Information Security identifies, assesses and manages our day to day cybersecurity threats and related risks on a daily basis. He reports to the EVP, IT & Risk and is a member of our Enterprise Risk Committee as to cybersecurity threat risks and has eight years of experience as an information security professional.
•General Counsel – Our General Counsel has experience advising on cybersecurity-related matters, including cybersecurity incidents, cybersecurity risk program design and execution. He is also experienced in other related cybersecurity risk management practices, such as engaging with outside advisors and risk managers, among other examples.
How the Enterprise Risk Committee is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents
The Enterprise Risk Committee meets on a regular basis at least quarterly to review and assess the Company’s cybersecurity threat risk and other risk posture, new controls and initiatives to prevent or mitigate cybersecurity threat risks and potentially evaluate relevant Company policies. Where appropriate, other managers and personnel participate in Committee meetings. Members of the Committee inform the Board, as noted above.
37