FAIR ISAAC CORP 10-K Cybersecurity GRC - 2024-11-06

Page last updated on November 6, 2024

FAIR ISAAC CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-06 16:16:04 EST.

Filings

10-K filed on 2024-11-06

FAIR ISAAC CORP filed a 10-K at 2024-11-06 16:16:04 EST
Accession Number: 0001628280-24-045719

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws. Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and managed through a multi-faceted approach including third-party assessments, internal IT Audit, IT security, governance, risk and compliance reviews. To defend, detect and respond to cybersecurity incidents, we, among other things: conduct proactive privacy and cybersecurity reviews of systems and applications, audit applicable data policies, perform penetration testing using external third-party tools and techniques to test security controls, conduct employee training, monitor emerging laws and regulations related to data protection and information security (including our consumer products) and implement appropriate changes. We employ an experienced team of cybersecurity professionals with a variety of backgrounds. We seek to address material cybersecurity risks through a company-wide approach that assesses, ranks and prioritizes cybersecurity threats, vulnerabilities and issues as they are identified to maintain the confidentiality, integrity and availability of our information systems and the information that we collect and store. The Company’s cybersecurity policies, standards, processes and practices are informed by recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and an array of other applicable standards-setting bodies, which are integrated into a broader risk management framework and related processes. We also hold various security-related industry certifications and attestations that have been validated by external auditors, including: SOC 1, SOC 2 Type II, ISO 27001, CSA STAR Level 2, PCI-DSS and others. Leveraging threat intelligence and other signals, the Company undergoes periodic testing, audits and reviews of its policies, standards, processes and practices to identify, assess and address cybersecurity risks and events. The Company also undergoes routine internal and external penetration testing. The results of such tests and assessments are evaluated by management and periodically reported to the Audit Committee. The Company further adjusts its cybersecurity policies, standards, processes and practices based on these results. The Company also makes available to clients attestations of its various certifications, audits, and penetration tests. We have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations, or financial condition. However, we face ongoing and increasing cybersecurity risks, including from bad actors that are becoming more sophisticated and effective over time, as well as a result of potential defects or disruptions in our or our customers’ services. Additional information on the cybersecurity risks that could materially affect us is discussed in Part I, Item 1A, “Risk Factors.” Management Oversight and Governance The Company’s Chief Information Security Officer (“CISO”), who reports to the Executive Vice President, Software, is responsible for the design and implementation of our security program and strategy based on the mandate provided by the Board and senior management. The CISO has extensive experience in the management of cybersecurity risk management programs, having served in various leadership roles in information technology and information security for over 20 years, including serving as the Chief Security Officer of two other large public technology companies. We believe the Company’s business leaders have the appropriate expertise, background and depth of experience to manage risks arising from cybersecurity threats. The CISO, in coordination with other members of senior management, works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to cybersecurity incidents in accordance with the Company’s incident response and recovery plans. To facilitate the success of the Company’s cybersecurity program, cross-functional teams throughout the Company are tasked with addressing cybersecurity threats and responding to cybersecurity incidents. Through ongoing communications with these teams, the CISO and senior management are informed promptly about, and monitor the prevention, detection, investigation, mitigation and remediation of, cybersecurity threats. These teams are expected to operate pursuant to documented plans and playbooks that include processes for escalation of incidents to leadership and to the Audit Committee and Board, as appropriate, based on the severity level of an incident. In addition, the Company periodically consults with outside advisors and experts to assist with assessing, identifying and managing cybersecurity risks, including to anticipate future threats and trends, and their impact on the Company’s risk management environment. Specifically, management implements the Company’s cybersecurity and risk management strategy across several areas: - Identification and Reporting . The Company has implemented a robust, cross-functional approach to identifying, assessing and managing cybersecurity threats and risks. The Company’s program includes controls and procedures designed to properly identify, classify, and escalate cybersecurity risks to provide management with visibility and prioritization of risk mitigation efforts and to publicly report material cybersecurity incidents if and when appropriate. - Threat Intelligence . The Company maintains a Threat Intelligence team focused on profiling, intelligence collection, and threat analysis supporting the Company’s ongoing efforts to identify, assess and manage cybersecurity threats. The team’s input supports both near-term response to cybersecurity events, and long-term strategic planning and development of the Company’s cybersecurity risk management framework. - Technical Safeguards . The Company implements technical safeguards that are designed to protect both the Company’s service offerings and other information systems it controls from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, vulnerability management, encryption processes and access controls, all of which are periodically evaluated and improved through risk and control assessments and in response to cybersecurity threat intelligence as well as outside audits and certifications. - Incident Response and Recovery Planning . The Company has established and maintains robust incident response, business continuity and disaster recovery plans designed to address the Company’s response to a cybersecurity incident, including any required public disclosure and reporting of material incidents in a timely manner. These plans and procedures serve to guide and document a rigorous incident response program that reflects the roles of an array of stakeholders, including personnel providing technical, operational, engineering, legal and other perspectives across the Company. The Company conducts regular tabletop exercises involving multiple operational teams, including senior management, to test these plans and to familiarize personnel with their roles in a response scenario. - Third-Party Risk Management . The Company maintains a robust, risk-based approach to identifying and overseeing cybersecurity threats presented by certain third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a significant cybersecurity incident affecting those third-party systems. - Education and Awareness . The Company regularly provides employee training on security-related duties and responsibilities, including knowledge about how to recognize security incidents and how to proceed if an actual or suspected incident should occur. This training is mandatory for employees across the Company, and is intended to provide the Company’s employees with effective tools to address cybersecurity threats, and to communicate the Company’s evolving information security policies, standards, processes and practices. Board Oversight and Governance Our management is responsible for identifying the various risks facing the Company, formulating risk management policies and procedures, and managing the Company’s risk exposures. Our Board of Directors’ responsibility is to monitor the Company’s risk management processes by informing itself concerning our material risks and evaluating whether management has reasonable controls in place to address the material risks. The Audit Committee of the Board of Directors is responsible for discussing with management the Company’s major risk exposures and the steps management has taken to monitor and control such exposures, including the Company’s risk assessment and risk management policies. Accordingly, our internal risk management team regularly reports to the Audit Committee on our major risk exposures and the steps management has taken to monitor and control such exposures, including our risk assessment and risk management policies. The Audit Committee, in turn, reports on the matters discussed at the committee level to the full Board of Directors. As part of its oversight of the Company’s risk management noted above, the Audit Committee oversees, reviews and discusses with management the Company’s risks from cybersecurity threats and management’s role in assessing and managing such risks. The Audit Committee receives regular presentations, reports and updates from the CISO and other members of management on developments regarding the Company’s cybersecurity program, broader cybersecurity trends, evolving industry standards, the threat environment and other topics. The Company’s processes also allow for the Board and the Audit Committee to be informed of key cybersecurity risks outside the regular reporting schedule. While regular meetings of the Audit Committee are scheduled on a quarterly cadence, the Audit Committee is authorized to meet with management at any time it deems appropriate to discuss matters relevant to the Audit Committee. The Company’s policy is for the Board and the Audit Committee to receive prompt and timely information regarding any cybersecurity risk (including any incident) that meets pre-established reporting thresholds, as well as ongoing updates regarding any such risk.

Company Information