EGAIN Corp 10-K Cybersecurity GRC - 2024-09-12

Page last updated on September 12, 2024

EGAIN Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-12 16:25:37 EDT.

Filings

10-K filed on 2024-09-12

EGAIN Corp filed a 10-K at 2024-09-12 16:25:37 EDT
Accession Number: 0001558370-24-012767

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C . CYBERSECURITY RISK MANAGEMENT AND STRATEGY Protecting our business information, intellectual property, customer and employee data, and technology systems is crucial for our business continuity, regulatory compliance, and stakeholder trust. We have implemented enterprise cybersecurity risk mitigation and governance processes, detailed in our Information Security Protection Program (“Security Plan”). Our strategy is guided by the Security Plan’s principles, which involve monitoring threats and vulnerabilities, assessing and monitoring related controls, and supporting the Chief Information Security Officer (CISO). Our cybersecurity policies, standards, processes, and practices are integrated into our overall risk management system to enhance our ability to protect our operations and information. This includes annual cybersecurity reporting to the board of directors by senior leadership. We engage third-party providers to conduct evaluations of our security controls, through penetration testing, independent audits or consulting on best practices. These evaluations include testing both the design and operational effectiveness of our security controls. Our Security Plan Our Security Plan, developed in collaboration with third-party consultants, aligns with the National Institute of Standards and Technology (NIST) and ISO27001. This program encompasses security and privacy, risk-based controls, and integrates lessons learned from past cybersecurity incidents. Under the Security Plan, cyber risks, including threats and incidents, are continuously assessed, treated, and monitored. We incorporate insights from incident response and risk mitigation into our cyber risk management strategy to enhance overall cybersecurity. The Security Plan is led by specific management positions selected for their expertise, as detailed below. Following best practices in cyber risk management, we have worked with recognized third-party experts to align the foundational processes, metrics, monitoring, and reporting of the Security Plan with common frameworks such as NIST. Third-Party Cyber Risk Management Our Third Party Cyber Risk Management Plan ensures that due diligence is carried out on third parties prior to and during engagement. Prior to engagement, third parties are assessed using a questionnaire that covers all areas of security including cyber risk and external documentation is requested such as SOC2 T2, penetration testing, and ISO27001 certification and scope. We include security and privacy clauses within our third party contracts where applicable, which cover the implementation of security controls and self reporting. During engagement, third parties are regularly reviewed, at least annually, to ensure that cyber risks are evaluated and assessed on a continual basis. Cyber Incident Response Plan Our Incident Response Plan outlines the processes for detecting, identifying, prioritizing, and analyzing information security events. Depending on the incident’s scope, business impact, and potential material risk, our CISO, legal counsel, and business stakeholders are engaged. This cross-functional team assesses the appropriate response and mitigation pathway. Once security events are identified through our enterprise detection and monitoring ecosystem, the Incident Response Plan establishes a prioritization and decision workflow to determine the scope, business impact, and potential material risk, implemented in collaboration with the CISO, legal counsel, and business stakeholders. Additionally, we have implemented an information security training program for employees, which includes security awareness training on cybersecurity risks, simulated phishing emails, and regular communication about cybersecurity risks. While we occasionally experience cybersecurity threats and incidents, we are not aware of any material risks from these threats, including from past incidents, that have materially affected or are likely to materially affect our business strategy, financial condition, results of operations, or cash flows. However, there is no assurance that future cybersecurity threats will not have a material impact. For more information on our cybersecurity-related risks, please see “Item 1A. Risk Factors.” GOVERNANCE Protecting our customers’ data is a top priority for our board of directors and management team. Our risk management team, integrated into our CIS function, is led by our CISO. This team brings together extensive experience in information security, governance, and compliance, covering areas such as engineering, architecture, cybersecurity, and privacy. They are responsible for defining the program, overseeing cybersecurity governance, and gathering insights to assess, identify, and manage cybersecurity threats, their severity, and mitigations. Our CISO, who reports to the Chief Financial Officer, leads the company’s technology and digital capabilities, including the overall cybersecurity strategy. Our CISO has over 25 years experience working in the commercial sector within the IT and security environments, across a variety of business verticals. Prior to this was in the Armed Forces working in an IT, telecommunications and security capacity. A member of (ISC)2 and CISSP certified, the CISO understands the security and protection requirements needed for areas such as data protection, PCI/DSS, HIPAA, FedRAMP. The Audit Committee of our board of directors is charged with oversight of data privacy and cybersecurity risks. Our CISO provide annual updates on cybersecurity risks and related mitigating actions to the Audit Committee, meet with the full board of directors at least annually and inform the Audit Committee immediately if a cybersecurity incident is deemed material. They report to the Audit Committee and the board of directors on compliance and regulatory issues, provide updates concerning continuously-evolving threats and mitigating actions, and present a NIST Cybersecurity Framework Scorecard. Additionally, the CISO discusses and presents strategies to address technological changes, such as AI. In overseeing cybersecurity risks, the Audit Committee focuses on aggregated, thematic issues with a risk-based approach. Oversight of cybersecurity risk incorporates strategy metrics, third-party assessments, and internal audit and controls. Outside counsel advises the board of directors on best practices for cybersecurity oversight by the board of directors, and the evolution of that oversight over time. Management also reports on strategic key risk indicators, ongoing initiatives, and significant incidents and their effect.

Company Information