COMMVAULT SYSTEMS INC 10-K Cybersecurity GRC - 2024-05-13

Page last updated on July 16, 2024

COMMVAULT SYSTEMS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-13 07:50:20 EDT.

Filings

10-K filed on 2024-05-13

COMMVAULT SYSTEMS INC filed a 10-K at 2024-05-13 07:50:20 EDT
Accession Number: 0001169561-24-000039

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Commvault has established a cybersecurity program for the benefit of the company, our customers, partners and stockholders. The cybersecurity program includes policies, processes and practices that are designed to assess, identify and manage material risks from cybersecurity threats and is integrated into our enterprise risk management program. Led by the Chief Information Security Officer (“CISO”), Commvault’s cybersecurity program leverages the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, with the primary objective of securing systems and data from cyber threats. We procure security technologies, consistently work to mature our cybersecurity program, and partner with security service providers. We have established a Security Incident Response Plan (“SIRP”) which outlines our processes for incident preparation, detection, analysis, containment, eradication, and post-incident analysis. In addition to the SIRP, we maintain a Crisis Management Plan to organize roles and responsibilities in the event of a crisis, a Disaster Recovery Plan to provide guidance in the recovery of systems following an outage, and a Business Continuity Plan to identify alternative means of conducting business in the event of business disruption. We partner with third parties to enhance monitoring and response capabilities and facilitate readiness activities including tabletop exercises and penetration testing. All employees are required to undergo annual security awareness training on current and potential cybersecurity threats and report suspicious activity. We also assess third-party service provider cybersecurity controls through a risk assessment questionnaire and include security and privacy terms in contracts as appropriate. Commvault maintains a variety of third-party certifications and undergoes annual assessments for SOC 2 Type 2, ISO 27001, HIPAA, CJIS, and PCI DSS. In support of these certifications and assessments, our products also undergo security testing. Annually, internal auditors complete a risk assessment of specific business operations like privacy and sanctions compliance or travel & expense policy compliance, identify areas of heightened risk, and conduct dedicated audit engagements at the direction of Management. The findings, observations, and recommendations from these engagements are shared with Management and the Audit Committee, as appropriate. To date, Commvault is not aware of any cybersecurity incidents that have materially affected Commvault’s financial condition or business operations. Given the increasingly complex and sophisticated cyber threat landscape, we try to be vigilant to predict and prevent attacks. Commvault has prioritized cyber resilience measures and leverages governance processes and procedures to mitigate potential business impacts if and when an adverse event occurs. Although no material impacts have been recorded to date, IT system failures, network disruptions, cybersecurity incidents, and data breaches could adversely impact our business, internal controls, results of operations, and financial condition. For additional description of cybersecurity risks and potential related impacts on Commvault, refer to the risk factor captioned “Risks Related to Technology and Security - We may be subject to IT system failures, network disruptions, cybersecurity incidents and breaches in data security” in Part 1, Item 1A. “Risk Factors.” 24 Governance Commvault’s Board of Directors (the “Board”) provides oversight of Commvault’s enterprise risk management strategy, which includes risks from cybersecurity threats. The Audit Committee of the Board of Directors receives quarterly briefings on the cybersecurity program from the CISO and briefings on the Enterprise Risk Management Committee (“ERMC”) and Cybersecurity Oversight Team (“CSOT”) from the Chief Legal and Compliance Officer (“CLCO”). The Board is kept apprised of cybersecurity updates through quarterly, or as needed, reporting from the Audit Committee Chair and annual, or as needed, reporting directly to the Board from the CISO. Commvault’s Management, including the CEO, CFO, CLCO, CISO, Chief Information Officer (“CIO”), and Senior Vice President of Engineering, is responsible for our cybersecurity risk management strategy, operational decision-making, and incident preparedness and response. The current CISO holds a Bachelor of Science in Information Technology, industry certifications such as CISSP, CISA, CISM, is affiliated with various CISO professional working groups, and has over twenty-five years of experience in information security, compliance, technology, and program management across financial, telecommunications, audit, healthcare, retail, and professional services organizations. Management ensures cybersecurity risks are communicated through the establishment of the ERMC and the CSOT and regular, or as needed, reporting to the Audit Committee and the Board. The ERMC is responsible for the implementation, maintenance, and execution of our enterprise risk management program. The ERMC meets quarterly, or as needed, to assess, consider, and manage material risks including cybersecurity threats across the business. The CSOT is responsible for the significant operational decisions in the event of an active cybersecurity incident. The CSOT meets as needed, with the Audit Committee Chair as an optional attendee, to provide counsel and foster productive communication between Management and the Board.

Company Information