ITERIS, INC. 10-K Cybersecurity GRC - 2024-06-13

Page last updated on July 16, 2024

ITERIS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-13 16:41:27 EDT.

Filings

10-K filed on 2024-06-13

ITERIS, INC. filed a 10-K at 2024-06-13 16:41:27 EDT
Accession Number: 0000350868-24-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have established processes to assess, identify, and manage risks from cybersecurity threats as part of our broader enterprise-wide risk management system and processes, which is overseen by our Board of Directors through our Audit Committee, along with our executive management. To assess and manage risks from cybersecurity threats, we maintain a cybersecurity risk management program (the “Cybersecurity Program”) that employs the Critical Security Controls framework developed by the Center for Internet Security as the foundation. Our Information Security team, composed of members of the Company’s Corporate Information Technology (“IT”) Department and Software Product Operations team, is tasked with monitoring and assessing, and the day-to-day management of, cybersecurity and operational risks related to information security and system disruption. The Cybersecurity Program includes, among other elements: - ongoing identification and assessment of cybersecurity threats based on periodic internal and external assessments and monitoring; - technical and organizational measures designed to protect against, detect, and respond to cybersecurity threats, including documented processes, procedures and technical controls aligned with our information security management system; - an incident management and response program that continuously monitors the Company’s information systems for vulnerabilities, threats, and incidents; manages and takes action to contain incidents that occur; remediates vulnerabilities; and communicates the details of threats and incidents to management, as deemed necessary or appropriate; and - organization-wide cybersecurity training and compliance exercises, including formal educational material and compliance testing that is administered to all employees on an annual basis, as well as ad hoc testing and awareness exercises. The Company also engages external experts to assist in its assessment, identification, and management of risks from cybersecurity threats. These experts include cybersecurity consultants that we engage as part of our continuing efforts to evaluate and improve the effectiveness of our Cybersecurity Program, and other cybersecurity service providers that help secure our systems and networks. The Company also uses specialized third-party software tools to identify, monitor and mitigate risks from cybersecurity risks. Our Cybersecurity Program also addresses cybersecurity risks associated with our use of third-party service providers, in particular those identified as critical to the functioning of our business. To that end, we take cybersecurity considerations into account in the selection of our third-party service providers. We perform cybersecurity diligence on third parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity risks identified through such diligence, and we require those third parties to implement appropriate cybersecurity controls with respect to the services they provide to us. As of the date of this Annual Report, the Company has not identified any risks from cybersecurity threats, including as the result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition, but there can be no assurance that any such risk will not materially affect the Company in the future. For further information about the cybersecurity risks we face, and potential impacts, see Part I, Item 1A, “Risk Factors.” Governance The Board of Directors is responsible for overseeing our enterprise risk management program. The Audit Committee, which consists solely of independent directors, has been designated by our Board to oversee cybersecurity risks and our processes to identify, prioritize, assess, manage, and mitigate those risks. The Audit Committee receives quarterly updates, or more frequently as needed, on cybersecurity and information technology matters and related risk exposures from our Chief Financial Officer (“CFO”). The CFO works in conjunction with the Chief Technology Officer (“CTO”) to oversee the Information Security Team and the operation of the Cybersecurity Program. Our Information Security team in conjunction with the CTO have an average of 15 years of professional IT and software development management experience, including in the areas of incident response, vulnerability management, network security administration and other governance, risk and compliance areas. Our executive management, the Audit Committee, and the Board of Directors are notified of any significant cybersecurity incidents through an escalation process that is established in our incident response plan. Pursuant to that plan, upon detection incidents are first reported to and assessed by the Information Security Team. Depending on the nature and severity of an incident, and considering the actual or potential impact, significance, and scope, the plan calls for the Information Security team to notify the executive team, who may in turn notify the Audit Committee and Board of Directors, regarding the detection, mitigation, and remediation of cybersecurity incidents.

Company Information