Page last updated on July 16, 2024
BLACKBERRY Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-04 17:29:48 EDT.
Filings
10-K filed on 2024-04-04
BLACKBERRY Ltd filed a 10-K at 2024-04-04 17:29:48 EDT
Accession Number: 0001070235-24-000057
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy The Company’s cybersecurity risk management program is an integral part of its overall enterprise risk management efforts. The Company manages cybersecurity risks within its products and services, infrastructure and corporate resources using a framework that is based on applicable regulations, industry standards and recognized best practices. Through this framework, the Company devotes significant resources to identifying, monitoring, assessing and responding to cybersecurity threats and incidents, including those associated with its use of third-party software, applications, services, and cloud infrastructure. To mitigate risk to its systems, endpoints and data, the Company evaluates internal and external threat intelligence, deploys encryption and authentication technologies and other protective measures, maintains security policies and procedures, and conducts vulnerability testing and awareness training. The Company also conducts penetration testing and other risk assessments, implements appropriate internal controls, and engages independent third-party auditors to evaluate its compliance with security compliance standards. The Company’s incident response team, comprised of representatives from the Company’s information technology, information security, product security, engineering, privacy and legal groups, is responsible for addressing data breaches, intrusions, and other security incidents and implementing the Company’s incident response plan. The Company’s incident response plan includes processes and procedures for assessing internal and external threats, escalation and activation, crisis management, and post-incident recovery. The readiness of the incident response team is promoted through table-top exercises and threat simulations. The Company also conducts mandatory training of all employees on its security practices and policies and periodically sends simulated phishing emails to employees to build resilience. In addition, the Company maintains specific policies and practices to mitigate third party security risks, including a process for evaluating the security controls of vendors and service providers who exchange data with the Company or have access to or integrate with the Company’s systems. At the same time, the Company’s control over the security posture of third parties is limited and there can be no assurance that any partner of the Company will not experience a compromise or failure in the information assets under its control. 24 For the years covered by this report, the Company did not identify any security threats or incidents that have materially affected or are reasonably likely to materially affect its business strategy, results of operations or financial condition. However, like all other enterprises, the Company faces known and unknown cybersecurity risks and threats that are not fully mitigated. While the Company works continuously to enhance its security programs and risk management efforts, it discovers vulnerabilities from time to time and there can be no assurance that the Company has not experienced an undetected cybersecurity incident or that it will not experience material loss or damage from an incident in the future. Cybersecurity Governance The Board has overall responsibility for the Company’s enterprise risk management program, and the Audit and Risk Management Committee assists the Board with this oversight. The Company’s internal audit function reports to the Audit and Risk Management Committee and, among other things, provides independent assurance on the Company’s risk management activities and internal controls related to cybersecurity risk. For more information, see Part 3, Item 10 “Directors, Executive Officers and Corporate Governance - Enterprise Risk Management”. Management’s cybersecurity programs operate under the leadership of the Company’s Chief Information Security Officer (“CISO”), who receives reports from his team of information and product security professionals and monitors the prevention, detection, mitigation and remediation of cybersecurity risks. The CISO provides quarterly updates to the Board on the advancing maturity of the Company’s cybersecurity program, including reports on security controls coverage and effectiveness, secure software development and product security, vulnerability testing and remediation, and security operations. The updates also include reports on improvements to processes, technology and governance to mitigate residual cybersecurity risk.
Company Information
Name | BLACKBERRY Ltd |
CIK | 0001070235 |
SIC Description | Services-Prepackaged Software |
Ticker | BB - NYSE |
Website | |
Category | Large accelerated filer |
Fiscal Year End | February 28 |