TUCOWS INC /PA/ - (TCX)

10-K Filing Date: April 01, 2024
ITEM 1C. CYBER SECURITY

 

Risk Management and Strategy

 

Our business heavily relies on various IT and application systems, which contain proprietary and confidential information about our operations, employees, customers, and our customers' customers, including personally identifiable information. These systems are connected to and/or accessed from the Internet and, as a result, are susceptible to cyber-attacks. We recognize the critical importance of maintaining the safety and security of our systems and data and have a holistic process for overseeing and managing cybersecurity and related risks. Our process is supported by both management and our Board of Directors. Organizationally, our businesses are structured as three operating and reportable segments: Ting, Wavelo and Tucows Domains. These segments are decentralized; management and cybersecurity resources are organized both at the parent company level and within each decentralized segment. Each segment has dedicated liaisons for cybersecurity, compliance, and risk management activities.

 

We maintain and continue to expand our investment in the development of our information security management system (“ISMS”). Our ISMS leverages a risk-based approach and is informed by industry standard guidance, including the National Institute of Standards and Technology ("NIST”) Cybersecurity Framework (“CSF”) and the International Organization for Standardization (“ISO”) 27001 Information Security Management System Requirements. A material cyber-attack on Company systems, distribution partners and their key operating systems, or any other third-party partners or vendors and their key operating systems may interrupt the ability to operate the Company's business, damage the Company's reputation, or result in monetary damages. The development of the ISMS is focused on the protections of the confidentiality, integrity, and availability of the Company’s information system infrastructure as well as the data in the Company’s care, custody and control. The Company engages third parties to evaluate certain aspects of the ISMS, provide threat intelligence, and perform vulnerability assessments and other services as needed.

 

 

The Company follows an established process to identify and evaluate risks from cyber security threats that may arise internally or through the introduction of third parties to the ISMS. This evaluation is part of the Company's risk management process. The process may include, but is not limited to, evaluating the third party's cybersecurity maturity and/or imposing certain contractual conditions.

 

Operationally, the Company maintains Security and Network Operations Centers, which provide 24/7 coverage and support of on-call cybersecurity and network professionals to triage and respond to immediate cybersecurity threats and outages. The Company also assesses cybersecurity risks on a quarterly basis and ranks them according to their risk profile. These risks are communicated to management and to the Board of Directors as part of the normal course of operations.

 

Cybersecurity incidents are responded to in accordance with the Company’s established Cybersecurity Incident Response Plan (“IRP”). In the event of an incident, we follow our IRP, which includes evaluation of the severity of the incident based on factors such as the number of assets affected, the extent of the incident, the likelihood of inappropriate data exposure, operational impact and/or reliability impact. Dependent upon the severity of an incident, the incident is escalated to the senior leadership, including the CEO and CISO. Senior leadership then determines whether, based on various factors, the incident requires immediate escalation to the Board of Directors and to third-party incident response organizations and notification to functional areas, such as legal and finance, as well as senior leadership and the Board, and external entities, as appropriate and required. We maintain relationships with third-party Digital Forensics and Incident Response (“DFIR”) service providers to strengthen our incident response capabilities in the event that we determine the need to augment our effort during an incident and to provide us additional assurance that our responses to complex incidents or highly sophisticated threat actors have been effective and complete.

 

Although the risks from cyber threats have not materially affected our business strategy, results of operations, or financial condition to date, they may in the future and we continue to closely monitor cyber risk. For a detailed description of the risks related to cybersecurity, see Item 1A. “Risk Factors.” of this Form 10-K, which should be read in conjunction with this Item 1C.

 

22

 

Board Governance and Management

 

The Board of Directors oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Our corporate information security function, led by our Chief Information Security Officer (“CISO”), is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. The current CISO has an extensive information technology and cybersecurity background gained through years of industry experience and leadership. The corporate information security function is responsible for managing and continually enhancing our information security posture and information security infrastructure with the ultimate goal of preventing cybersecurity incidents and reducing their severity to the extent feasible, while simultaneously increasing our resilience in an effort to minimize the business impact should an incident occur.

 

Senior leadership, including our CEO, who also has relevant experience in cybersecurity matters, and our CISO, regularly brief the Board of Directors on our cybersecurity and information security initiatives, and the Board of Directors is apprised of cybersecurity incidents deemed to have a material business impact.