EPLUS INC 10-K Cybersecurity GRC - 2024-05-22

Page last updated on July 16, 2024

EPLUS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-22 18:03:53 EDT.

Filings

10-K filed on 2024-05-22

EPLUS INC filed a 10-K at 2024-05-22 18:03:53 EDT
Accession Number: 0001140361-24-027200

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We believe that cybersecurity and business resilience are critical to advancing our corporate vision and enabling our digital transformation efforts. As a technology services provider, we are faced with a multitude of diverse cybersecurity threats that range from common attacks such as ransomware, denial of service, and social engineering to more advanced attacks from nation state actors that might target our ecosystem through specific industry verticals. Any such cybersecurity threats could affect our customers, vendors, service providers, subcontractors and/or employees, and a cybersecurity threat to us or any of these entities could materially adversely affect our business strategy, financial condition, performance, our brand and results of operations. We have a dedicated team of information security professionals (our “information security team”) who lead our enterprise-wide cybersecurity strategy, which includes risk management, cyber defense, software security, security monitoring and other related functions. This team is overseen by our Senior Director of Information Security (“SDIS”) who reports to our Chief Information Officer (“CIO”). The SDIS has over 25 years of experience in the field of cybersecurity and is responsible for our overall business resilience and information security strategy, security engineering and operations, cyber threat detection and response, and policy recommendations. In addition, our SDIS has a significant background in general information technology and program management. Our information security team manages our robust enterprise security structure, which is designed to prevent cybersecurity incidents, while simultaneously increasing our technology resilience to minimize the associated business impact of cybersecurity threats. Core to our information security team’s structure is our security incident response team, which is responsible for the protection, detection and overall response capabilities in defense of our corporate resources and assets. Furthermore, we believe strongly in a supportive culture of security, whereby all e Plus employees maintain a role in our corporate cybersecurity posture, including but not limited to their participation in periodic training and risk management exercises throughout the year. The processes overseen by our information security team are integrated with our enterprise risk management (“ERM”) program, including routine reporting to our executive team on cyber risk through the different levels of our ERM governance structure including our risk management frameworks and processes. We undergo routine testing of both the design and operational effectiveness of our security controls, consult with industry leaders on best practices, and ensure alignment with relevant industry frameworks and laws, as well as auditing by our internal audit team. Our cybersecurity program consists of policies, practices and procedures designed to manage material risks from cybersecurity threats, including training requirements, threat monitoring and detection, threat containment and risk assessments. In addition to our policies and procedures designed to manage and identify cybersecurity risks, we maintain an incident response plan designed to contain, analyze, remediate, and communicate cybersecurity matters to help ensure a timely and appropriate response to cybersecurity incidents. Additionally, we engage third-party firms to conduct routine external and internal penetration testing of our information systems to emulate the common tactics and techniques of cyber threat actors and we have developed processes to remediate identified vulnerabilities across a wide range of severities. We have policies and procedures to oversee and identify the cybersecurity risks associated with our use of certain third-party service providers. These policies and procedures include onboarding risk assessments prior to engagement and, as appropriate based on identified risk, may include either cybersecurity-related contractual terms and/or periodic risk assessments throughout the life cycle of the third-party relationship. We maintain cybersecurity insurance coverage that we believe is appropriate for the size and complexity of our business to cover certain costs related to the remediation of cybersecurity incidents. Our Board of Directors has ultimate oversight of our cybersecurity risk, which it oversees as part of our ERM program. The CIO and SDIS regularly provide reporting on cybersecurity to both our executive management and our Board of Directors. This reporting includes updates on our information security strategy and organizational structure, key cyber risks and threats, progress related to various initiatives designed to protect us from such risks and threats, assessments of our cybersecurity program and emerging trends. Depending on the criticality of a cybersecurity incident and in accordance with our incident response plan, certain matters are required to be reported promptly to the Board of Directors, as appropriate. As of the date of this report, we are not aware of any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, financial condition, or our brand. However, we cannot provide assurance that such threats will not result in such an impact in the future. For more information regarding risks relating to information technology and cybersecurity, please refer to Item 1A . “Risk Factors.”

Company Information