IBEX Ltd 10-K Cybersecurity GRC - 2024-09-12

Page last updated on September 12, 2024

IBEX Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-12 16:40:04 EDT.

Filings

10-K filed on 2024-09-12

IBEX Ltd filed a 10-K at 2024-09-12 16:40:04 EDT
Accession Number: 0001720420-24-000042

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company recognizes the critical importance of developing, implementing, and maintaining effective cybersecurity measures to protect our information systems and provide for the confidentiality, integrity, and availability of our data, as well as that of our customers, business partners and employees. Our cybersecurity processes are integrated into our overall enterprise risk management framework so that cybersecurity risks can be evaluated and managed alongside other business risks. Such integration supports our effort to promote a company-wide culture of cybersecurity risk management. Our cybersecurity risk management program is focused on the following key areas: Risk Assessment . Our in-house security teams and third-party security firms periodically evaluate the Company’s cybersecurity policies, processes, and practices. Such evaluations may include audits, assessments, penetration testing, threat modeling, tabletop exercises, and similar activities focused on evaluating the effectiveness of our cybersecurity processes and planning. The Company updates its cybersecurity policies, standards, processes, and practices periodically, as appropriate, based on the insights gained from these assessments, evolving industry standards, cybersecurity threat intelligence, changes to our infrastructure, and client-specific requirements. The Company considers the following factors in assessing its cybersecurity risks, mitigation, and remediation strategies: the likelihood and degree of risk; potential impact, if a risk materializes; and the feasibility, cost and impact of controls. The specific controls used by the Company vary based on the systems and program involved, but typically include vulnerability and patch management, penetration testing, firewalls, intrusion prevention and detection systems, anti-malware (including anti-phishing) technical safeguards and access controls, privileged access management, endpoint threat detection and response, identity and access management, multi-factor authentication, logging and monitoring, cyber insurance, and physical security controls. The Company also incorporates threat intelligence and monitors emerging cybersecurity threats relevant to the BPO industry. We have, and will continue to, integrate AI into our solutions, as well as explore potential third-party partnerships to help us be better positioned to offer our clients robust solutions. While AI offers significant benefits, it also presents risks and challenges. AI solutions are evolving and are not infallible, and we may encounter issues with data sourcing, technology integration, program bias into decision-making algorithms, security challenges and the protection of personal information and privacy. The Company typically conducts a risk assessment to identify potential threats and vulnerabilities in the third-party partners’ systems, including reviews of data security, the AI model security, and compliance with applicable laws, regulations, and standards related to AI and data security. Third-Party Risks . We have established processes to oversee and identify cybersecurity risks presented by third parties. Under these processes, contracts with third parties are to be reviewed for proper contractual controls, to include provisions mandating the implementation and maintenance of appropriate cybersecurity measures as well as legal recourse in the event of a security incident. We periodically conduct assessments of key vendor and business partners’ cybersecurity practices and require them to adhere to our security standards, as appropriate. Additionally, we may perform additional due diligence on select third-party service providers by collecting and reviewing certifications when available. The Company also conducts periodic audits of third-party processes and certifications to consider their use of industry best practices. Business Continuity, Incident Response and Disaster Recovery . The Company has established and maintains business continuity, incident response, and disaster recovery plans designed to address the Company’s response to cybersecurity incidents and other potential disruptions. Our IT Security, Operations and Compliance teams routinely evaluate and update these plans to enhance our incident response preparedness. The Company also leverages third party incident response and threat detection services. Education and Awareness . The Company provides regular, mandatory training for all personnel on cybersecurity threats and has processes and procedures in place to communicate out-of-cycle notices and updates regarding the Company’s information security policies, standards, processes, and practices by the CTO as needed. As indicated above, we utilize a risk-based methodology to determine which security controls are appropriate for a particular circumstance, and it is possible we may not implement suitable controls if we fail to perceive, or underrate, a particular risk. Though we have confidence in the security measures and processes we deploy to protect from cybersecurity threats, neither ibex nor others we rely on may be able to completely, continuously, and successfully execute security controls as intended. Governance The Company’s Board is responsible for overseeing cybersecurity risk management as part of its oversight of the Company’s enterprise risk management framework. The Company’s management team is responsible for the day-to-day oversight and management of cybersecurity risks, supported by our dedicated professionals responsible for cybersecurity, fraud, risk management, and compliance. Additionally, our Cybersecurity Committee, which is composed of certain of our executive management, legal and operations leaders, provides sponsorship and guidance to help achieve our management objectives. Our Vice President for IT Data Security (“VP, IT Data Security”) reports to our Chief Technology Officer (“CTO”) and assists in the day-to-day management of cybersecurity risks by leading the Information Security department and operationalizing our Information Security management systems. Our current VP, IT Data Security, has led our Data Security Department for nine years and holds more than seventeen years of experience in cybersecurity, including security operations, cloud security, and risk management. He has extensive experience with enterprise information security controls and frameworks, such as ISO 27001, PCI DSS, SOC 2 Type II, and HITRUST. Additionally, he holds multiple certifications, including CIISSP (Certified Information Systems Security Professional), CISA (Certified Information Security Auditor), and CISM (Certified Information Security Manager). The CTO and VP, IT Data Security meet regularly with the Cybersecurity Committee to review the Company’s management of information security risks, and the Cybersecurity Committee evaluates the adequacy of the Company’s IT security program, compliance and controls with our CTO. In addition to scheduled meetings, the CTO, Cybersecurity Committee, and CEO maintain a regular dialogue regarding emerging or potential cybersecurity risks, which may include input from our third party vendors and other external sources. Together, they receive updates on significant developments in the cybersecurity domain from the CTO, as needed and quarterly. These updates, as well as other cybersecurity matters, are provided to the Company’s Board by the CTO to support the Board’s proactive and responsive oversight of cybersecurity related risks. The Board and executive management meet regularly to review cybersecurity risks and developments as part of our enterprise risk management framework. Cybersecurity Threats The Company previously experienced a cybersecurity incident in August of 2020. Although cybersecurity threats, including any previous cybersecurity incidents, have not materially affected the Company’s business strategy, results of operations or financial condition, there can be no assurances that future cybersecurity incidents, which are unavoidable, will not materially affect our results of operations, including our business strategy, results of operations, or financial condition. Additional information on cybersecurity risks we face can be found in Part I, Item 1A. “Risk Factors - Unauthorized or improper disclosure of personal information, breach of privacy, whether inadvertent or as the result of a cyber-attack or improperly by our employees, has resulted in liability and could harm us. " which should be read in conjunction with the foregoing information.

Company Information