AvidXchange Holdings, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on July 16, 2024

AvidXchange Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:11:12 EST.

Filings

10-K filed on 2024-02-29

AvidXchange Holdings, Inc. filed a 10-K at 2024-02-29 16:11:12 EST
Accession Number: 0000950170-24-023077

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity. We maintain various protections designed to safeguard against cyber attacks, including access controls, firewalls and virus detection software. We have established and test our disaster recovery plan and we protect against business interruption by backing up our major systems. We periodically scan our environment for any vulnerabilities and engage third parties to perform annual penetration testing and assess effectiveness of our information security practices. In addition, we maintain insurance that currently includes cybersecurity coverage. In the normal course of business, we also collect and store certain sensitive Company information, including proprietary and confidential business information, trade secrets, intellectual property, customer information including bank account information and 39 invoice and payment information, sensitive third-party information and employee information, and certain personal information. To protect this information and our systems, our existing cybersecurity policies require monitoring and detection programs, network security measures, and encryption of critical data. Additionally, we have processes in place that are designed to assess and manage cybersecurity risks associated with our use of third-party service providers. Governance-Board Oversight and Management’s Role in Assessing and Managing Cybersecurity Risks Our board of directors and Chief Executive Officer have ultimate accountability for risk and establishing the risk-culture of the Company. This includes oversight of our risk management program, which includes risks from cybersecurity threats. Our board of directors and Chief Executive Officer, including through the risk management committee of our board of directors, provide oversight to ensure the appropriate measures are in place so that management can identify, assess, prioritize, and respond to risk, including cybersecurity risks. We believe our board of directors, the risk management committee of our board of directors, and our Chief Executive Officer collectively have the requisite experience, knowledge, inquisitiveness, and visibility into the design and operation of our information security practices to fulfill this responsibility effectively. Processes for Assessing, Identifying, and Managing Cybersecurity Risks At an operating level, our cybersecurity program is led by our Chief Information Officer (“CIO”) and our Chief Information Security Officer (“CISO”). Our CIO and CISO have over 45 combined years of information technology and cybersecurity experience with skills sets that span architecture and design, risk assessment, incident and remediation management, department development, companywide training, and the creation and implementation of cybersecurity compliance programs that address administrative, physical, and technical safeguards. Our cybersecurity program incorporates industry-standard frameworks, policies and practices designed to protect the privacy and security of our sensitive information. Our cybersecurity leadership regularly reports to the board of directors and its audit and risk management committees on information security and cybersecurity matters. For example, the risk management committee in conjunction with management and our enterprise risk management team reviews and discusses on at least a quarterly basis certain cybersecurity metrics that include reporting on phishing incidents and training, vulnerability management, security incident trends, detection and response effectiveness, recovery measures and incident resiliency. We have implemented policies, standards, and technical controls based on the National Institute of Standards and Technology (“NIST”) framework with the aim of protecting our networks and applications, to safeguard the confidentiality of sensitive information entrusted to us. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our critical service providers and we, have security measures and programs in place designed to prevent, detect, and respond to cyber-attacks, security-related incidents, and other similar threats. However, our ability to monitor our vendors’ cybersecurity practices is limited, therefore we cannot guarantee that our measures and programs will prevent a cyber-incident impacting our systems or information. We continue to evaluate internal systems, processes, and controls to identify potential vulnerabilities and mitigate potential loss from cyber-attacks. We undertake an annual tabletop exercise to assess our response proficiency. We monitor critical and high risks and associated mitigation plans as well as a forward-looking information security roadmap that is aligned with the six functions set forth in NIST’s Cybersecurity Framework: Govern, Identify, Protect, Detect, Respond, and Recover. The goal of this framework is to implement effective information security risk techniques and strategies, minimize operational and fraud losses, and enhance our overall performance. In addition, we have invested, and plan to continue investing, in resources to protect our information security ecosystem against cyber-attacks, other security-related incidents, and data breaches and to investigate and remediate any information security vulnerabilities. Our cybersecurity program has also focused on company-wide training on phishing and other social engineering attacks. Management takes the position cybersecurity is owned company wide as a collective team, not just by the organizations of the Chief Information Officer and Chief Information Security Officer. Our newest security awareness platform was deployed in the first quarter of 2024 to improve awareness through assessments, training, realistic phishing campaigns, and immediate feedback. All-hands briefings, updates on metrics, and “tips and tricks” supplement our platform and address gaps in awareness. Key areas of focus in 2024 will include challenging employee-teammates with real-world social engineering techniques and encouraging the reporting of phishing to improve resiliency. Material Impacts from Cybersecurity Threats and Incidents Despite the implementation of our cybersecurity program, our security measures cannot guarantee that a significant cyber-attack will not occur. A successful attack on our information technology systems could have significant consequences to the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. See “Risk Factors” for additional information about the risks to our business associated with a breach or compromise to our information technology systems. 40 In early April 2023, we detected a cybersecurity incident as part of our routine security monitoring protocols. In response to the incident, we undertook an investigation with the support of leading cybersecurity experts, reached out to law enforcement, accelerated planned security enhancements, and have taken and will continue to take actions to implement additional safeguards. The investigation determined that the incident primarily affected systems that were used for back-office activities. Data was exfiltrated from these systems and posted on the dark web. The data consisted of confidential information from our files, including personally identifiable information, primarily information of our employees, former employees, and their dependents, and the bank account information of some customers and other sensitive Company information. We cooperated with inquiries about the incident from three state consumer and financial service regulators, provided notices to impacted customers and individuals, and complied with regulatory requirements of various states that address notice and credit monitoring. We delivered all required notices during the fourth quarter of 2023 and consider our investigation to be complete. During the fiscal year ending December 31, 2023, we incurred $5.4 million in response costs related to the incident, including professional services and legal fees, before insurance recoveries. We currently do not expect to experience material expenses and costs associated with our response to this cybersecurity incident during the 2024. While a loss from these matters is possible, we are unable at this time to reasonably estimate the possible loss or range of loss. Therefore, no liability for losses has been recorded related to the incident as of December 31, 2023. We maintain cyber insurance coverage and have tendered claims for certain expenses incurred in connection with this event. We will tender claims in future periods for costs incurred as of December 31, 2023. The extent to which our insurance will cover such expenses remains uncertain. As of December 31, 2023, we had recovered $1.7 million from our insurer. Insurance recoveries are recorded as a reduction of general and administrative expense. Refer to Note 15 to our Audited Consolidated Financial Statements for additional information concerning the incident. As a result of our cybersecurity incident in 2023, our cyber insurance premiums increased significantly following renewal and the number of insurers that submitted proposals to us for consideration during our renewal process was very limited.


Company Information

NameAvidXchange Holdings, Inc.
CIK0001858257
SIC DescriptionServices-Prepackaged Software
TickerAVDX - Nasdaq
Website
CategoryLarge accelerated filer
Fiscal Year EndDecember 30