8X8 INC /DE/ 10-K Cybersecurity GRC - 2024-05-21

Page last updated on July 16, 2024

8X8 INC /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-21 17:10:13 EDT.

Filings

10-K filed on 2024-05-21

8X8 INC /DE/ filed a 10-K at 2024-05-21 17:10:13 EDT
Accession Number: 0001023731-24-000042

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY 8x8 recognizes the critical importance of cybersecurity in maintaining the integrity, confidentiality, and availability of its systems and data. As a leading provider of communication and collaboration solutions, 8x8 is committed to safeguarding its assets, including customer data, from evolving cybersecurity threats. NIST Framework Adoption: 8x8’s cybersecurity program is aligned with the National Institute of Standards and Technology, or NIST, cybersecurity framework, a widely recognized set of guidelines for managing and mitigating cybersecurity risks. By leveraging the National Institute of Standards and Technology framework, 8x8 has implemented a comprehensive and structured approach to identifying, protecting, detecting, responding to, and recovering from cybersecurity incidents. Governance Structure: At 8x8, cybersecurity is integral to the enterprise-wide risk management program. The Chief Information Security Officer, or CISO holds a pivotal role in overseeing the Company’s cybersecurity initiatives. The Company’s Chief Information Security Officer has served in various security leadership roles, including at a Fortune 500 technology company, and is a Certified Information System Security Professional, or CISSP, and a Licensed Private Investigator, and completed Harvard University’s Cybersecurity Managing Risk in 2021. He also held a United States Top Secret / Sensitive Compartmentalized Information, or TS/SCI, security clearance when he advised the White House, Pentagon, National Security Agency, Central Intelligence Agency, and Federal Bureau of Investigation on classified projects. Reporting directly to the Chief Legal Officer, who in turn reports to the CEO, the Chief Information Security Officer is empowered to lead the Executive Risk Management Committee. Through this committee, critical cybersecurity issues are monitored, addressed, and escalated as necessary. Furthermore, the Chief Information Security Officer provides regular updates and presentations directly to the Board of Directors on cybersecurity matters. This direct line of communication ensures that the Board remains informed and engaged in understanding and managing cybersecurity risks facing the Company. To enhance oversight and governance in this area, 8x8’s Board of Directors has established the Technology & Cybersecurity Committee. This committee focuses specifically on the Company’s technology, products, and cybersecurity program, providing strategic guidance and oversight to ensure alignment with business objectives and industry standard practices. Reporting and Communication: Transparent reporting and communication are key components of 8x8’s cybersecurity program. Incidents are promptly reported to the Chief Information Security Officer, who is responsible for escalating to relevant stakeholders, including executive leadership, the internal disclosure committee, and the Board of Directors, as required. Regular communication channels ensure that stakeholders are kept informed of the Company’s cybersecurity posture and any emerging threats or incidents. Determining Potential Impact and Materiality of Cybersecurity Incidents: 8x8 conducts thorough assessments to determine the potential impact and materiality of cybersecurity incidents. 8x8’s Chief Information Security Officer is a member of 8x8’s internal disclosure committee emphasizing the importance of cybersecurity as part of 8x8’s disclosure controls and procedures. By evaluating factors such as the nature of the incident, the extent of data exposure, and potential regulatory implications, the Company assesses the significance of cybersecurity events, which helps it take appropriate measures to mitigate risks, minimize impact and properly report any material cybersecurity incidents. Incident Response Plan (IRP) Implementation: 8x8 has developed and implemented a comprehensive Incident Response Plan, or IRP, to effectively manage cybersecurity incidents. The Incident Response Plan outlines clear reporting and escalation processes, delineating roles and responsibilities for incident response team members. The plan is regularly reviewed, tested, and updated to facilitate its effectiveness in mitigating and responding to cybersecurity threats promptly. Integration with Overall Risk Management Program: The cybersecurity program at 8x8 is fully integrated with the Company’s overall risk management program through our Chief Information Security Officer’s participation in such governance structures as the executive risk management committee, data protection committee, and internal disclosure committee and the incorporation of security in the Company’s overall compliance and enterprise risk management programs. By aligning cybersecurity initiatives with 8x8’s broader enterprise risk management initiatives, 8x8 pursues a holistic approach to identifying, assessing, and mitigating risks across the organization. 30 Risk Assessment and Identification: 8x8 conducts regular risk assessments to identify and prioritize cybersecurity risks. Through measures such as vulnerability assessments, and penetration testing, the Company identifies potential vulnerabilities and takes proactive steps to address them. 8x8 has also implemented technical, administrative and legal controls to manage our risk from third party service providers, including implementation of a third-party vendor risk management platform. Individuals or entities have attempted, and will continue to attempt, to penetrate our network security, and that of our platform, to try to cause harm to our business operations, including by misappropriating our proprietary information or that of our customers, employees and business partners or causing interruptions of our products and platform. See the sections entitled “Risks Related to our Products and Operations” and “Risks Related to Regulatory Matters” in Part I, Item 1A “Risk Factors” for more information on our cybersecurity risks. Training and Awareness: 8x8 invests in comprehensive training and awareness programs to educate employees about cybersecurity best practices and their roles in safeguarding company assets. By promoting a culture of cybersecurity awareness, 8x8 strengthens its overall security posture and reduces the risk of human error leading to cybersecurity incidents. Engagement with Third Parties: 8x8 collaborates with third-party auditors, consultants, and participates in bug bounty programs to enhance its cybersecurity capabilities. External audits and assessments provide independent validation of the effectiveness of 8x8’s cybersecurity controls, while bug bounty programs leverage the collective expertise of the cybersecurity community to identify and address potential vulnerabilities. Conclusion: 8x8 prioritizes cybersecurity as a fundamental aspect of its operations and is dedicated to maintaining a robust cybersecurity program aligned with industry practices and regulatory standards. Through strong governance, risk management, and continuous improvement efforts, 8x8 aims to protect its systems, data, and stakeholders from cybersecurity risks.

Company Information