N-able, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on July 16, 2024

N-able, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 07:18:58 EST.

Filings

10-K filed on 2024-02-29

N-able, Inc. filed a 10-K at 2024-02-29 07:18:58 EST
Accession Number: 0001834488-24-000032

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company has adopted policies, processes, procedures and standards and implemented certain controls and procedures that allow its management to assess, identify and manage material risks from cybersecurity threats and for its Board of Directors, through its Cybersecurity Committee, to actively oversee the strategic direction, objectives, and effectiveness of the Company’s cybersecurity risk management framework. The Company’s processes are integrated into its overall enterprise risk management program, which includes financial risk, compliance risk and other strategic and operational risks that affect the Company. The processes compliment the Company’s enterprise-wide risk assessment architecture, as implemented by the Company’s management and as overseen by the Company’s Board of Directors through its Cybersecurity Committee. In designing these processes, the Company takes into account industry frameworks such as the National Institute of Standards and Technology (NIST), Committee of Sponsoring Organizations (COSO), and International Organization for Standardization (ISO) 27001, and other industry standards. To further improve the effectiveness of its cybersecurity risk management framework, the Company has in the past, and may continue to do so in the future, engage third party consultants, to assist in testing and evaluating our security program. The Company seeks to address cybersecurity risks through a cross-functional approach that is focused on preserving the confidentiality, security, and availability of the information that the Company collects and stores by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. To identify and assess material risks from cybersecurity threats, we engage in regular network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises. The Company engages a third-party to perform 24/7 monitoring for threats and unauthorized access to our information security network. We have a formalized incident response plan (IRP) and associated procedures based on cybersecurity best practices which are refined using the information gained through testing and to further improve our cybersecurity preparedness and response infrastructure. These plans and procedures set forth the actions to be taken in responding to and recovering from cybersecurity incidents, which include triage, assessing the severity of incidents, escalation protocols, containment of incidents, investigation of incidents, and remediation. We also regularly perform phishing tests of our employees and provide annual privacy and security training for all employees. Our security training incorporates awareness of cyber threats (including but not limited to malware, ransomware, and social engineering attacks), password hygiene and incident reporting processes. We review our cybersecurity risk framework and related policies annually with our senior management to help identify areas for continued focus and improvement. We also engage third parties to review and assess our processes annually. Our information security management system has been independently certified as being in conformity with ISO/IEC 27001:2013. The Company has also implemented processes to identify, monitor and address material risks from cybersecurity threats associated with our use of third-party service providers, including those in our supply chain or who have access to our systems, data or facilities that house such systems or data. The Company works with such providers to recommend securities measures to be improved where possible, and generally requires those third parties that could introduce significant cybersecurity risk to us to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate. Although we have not experienced any material cybersecurity incidents since becoming a stand-alone public company in July 2021, we may experience such incidents in the future and the scope and impact of any such future incidents cannot be predicted. We have described whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, including the Cyber Incident, have affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition in the risk factors titled “Cyberattacks, including the Cyber Incident, and other security incidents have resulted, and in the future may result, in compromises or breaches of our, our MSP partners’, or their SME customers’ systems, the insertion of malicious code, malware, ransomware or other vulnerabilities into our, our MSP partners’, or their SME customers’ systems, the exploitation of vulnerabilities in our, our MSP partners’, or their SME customers’ environments, the theft or misappropriation of our, our MSP partners’, or their SME customers’ proprietary and confidential information, and interference with our, our MSP partners’, or their SME customers’ operations, exposure to legal and other liabilities, higher MSP partner and employee attrition and the loss of key personnel, negative impacts to our sales, renewals and upgrades and reputational harm and other serious negative consequences, any or all of which could materially harm our business” and “The Cyber Incident has had and may continue to have an adverse effect on our business, reputation, MSP partner and employee relations, results of operations, financial condition or cash flows” in “Item 1A. Risk Factors” of this Annual Report on Form 10-K. Governance Role of the Board of Directors and the Cybersecurity Committee As part of the Board of Directors’ role in overseeing the Company’s enterprise risk management program, which includes our cybersecurity risk management program, the Board is responsible for exercising oversight of management’s identification and management of, and planning for, material cybersecurity risks that may reasonably be expected to impact the Company. While the full Board has overall responsibility for risk oversight, the Board has delegated oversight responsibility related to risks from cybersecurity threats to the Cybersecurity Committee of the Board, or the Cybersecurity Committee. The Cybersecurity Committee is responsible for overseeing our information technology systems and cybersecurity risks, including plans and programs relating to cyber and data security and legal and regulatory risks associated with our products and business operations. The Cybersecurity Committee is informed of the Company’s cybersecurity risk management and receives an overview of its cybersecurity program from management at least quarterly, which covers topics including, among others, recent cybersecurity risk landscape and trends, data security posture, results from third-party assessments, training and vulnerability testing, our cybersecurity and compliance program, critical cybersecurity risks, as well as the steps management has taken to respond to such risks, emerging cybersecurity regulations, technologies and best practices. Material cybersecurity risks are also discussed during separate Board meetings as part of the Board’s risk oversight generally. Role of Management, Our Security Risk Committee (“SRC”), comprised of our Chief Security Officer (“CSO”), our Chief Legal Officer and representatives from the technology and product, people, IT and legal teams, is responsible for management’s oversight of cybersecurity governance, decision-making, risk management, awareness, and compliance across the Company. Our CISO works with the SRC to employ a cybersecurity program designed to protect the Company’s information systems from cybersecurity threats and to respond to incidents in accordance with the Company’s incident response plan and other policies and procedures. The CSO manages a team that is responsible for day-to-day tracking, assessing and management of threats. The N-able security team has a dedicated incident response team, with trained resources that are responsible for the various stages of our incident management strategy, including preparation, detection and analysis, containment, eradication, and recovery. Through ongoing communications with the team, the CSO and the SRC are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents and progress on cybersecurity infrastructure initiatives. In the event of a material cybersecurity incident or investigation, management will, in accordance with the Company’s IRP and other policies in place, promptly report to the Cybersecurity Committee and the Board, as appropriate. This escalation is in addition to the regular reports by the CSO to the Cybersecurity Committee on at least an annual basis. Our CSO has served as such since 2021, and has over 20 years of experience in various roles in information security, including serving as an IT security leader at AT&T/Warner Media, where he implemented an extensive security program managing complex incident response events. He holds a degree in Information Technology.


Company Information

NameN-able, Inc.
CIK0001834488
SIC DescriptionServices-Prepackaged Software
TickerNABL - NYSE
Website
CategoryLarge accelerated filer
Fiscal Year EndDecember 30