PTC INC. 10-K Cybersecurity GRC - 2024-11-14

Page last updated on November 14, 2024

PTC INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-14 17:27:14 EST.

Filings

10-K filed on 2024-11-14

PTC INC. filed a 10-K at 2024-11-14 17:27:14 EST
Accession Number: 0000950170-24-127231

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We are subject to various cybersecurity risks in connection with our business. For more information on our cybersecurity related risks, see the section entitled “Risks Related to Our Business Operations and Industry” in Item 1A of this Annual Report. Our Approach PTC takes a holistic, multi-layered approach to cybersecurity and privacy that combines traditional Defense-in-Depth methods with next-generation Zero Trust principles. In today’s globally interconnected world, we consider every entry point on the attack surface critical, and we aim to secure the points under our control. In developing our cybersecurity risk management program, we are informed by industry benchmarks and standards, including the cybersecurity framework created by the National Institute of Standards and Technology (“NIST”). We also have various security-related certifications and authorizations, including ISO 27001, SOC 2 Type II and FedRAMP, for certain of our products and services. People . PTC recognizes that technology alone cannot mitigate all security threats, so we focus on developing our most critical resource: our people. Security is the responsibility of everyone employed by PTC and is independent of departmental affiliation. PTC’s corporate cybersecurity awareness activities are combined with enterprise-wide and department-specific tools and mandatory employee training, providing everyone employed by PTC with the knowledge and resources to support our efforts to mitigate security threats. Process . An educated workforce needs a governance framework to guide and monitor its activities. PTC has processes and policies in place to try to anticipate security risks and facilitate compliance with applicable contractual obligations, regulations and standards, as well as address any incidents or violations. PTC focuses on continuous improvement and is constantly maturing its processes to keep pace with the rapidly evolving cybersecurity threat landscape. Technology . PTC seeks to automate these processes and remove the potential for human error to the extent feasible by implementing technology solutions. From fundamental IT security to development of our software products and keeping our customers’ data safe in the cloud, PTC aims to maintain a secure infrastructure that is continuously monitored for possible threats. These three key elements of people, process, and technology are tightly interwoven to support our aim to secure our environments and data. Governance Cybersecurity is a risk area with oversight at the highest levels of the organization, including the Executive and Board Level. The overall operational program is led by the Cybersecurity Strategy Council, a cross-functional team of executives and subject matter experts, including our Chief Product Security Officer, Chief Information Security Officer and Chief Compliance Officer. The Cybersecurity Strategy Council oversees a “Three Lines Model” of Operations, Risk Monitoring and Oversight, and Audit, to effectively address cybersecurity, risk management and control. All Cybersecurity, Risk and Internal Audit functions report to the PTC Executive Leadership Team. PTC’s Cybersecurity Program is supported by robust processes and procedures at all levels. Our matrixed cybersecurity organization is governed by industry-standard frameworks, and to ensure that they are executed, we involve the Executive Leadership Team, the Cybersecurity Strategy Council, and business unit security leads and cybersecurity analysts across the enterprise. We provide regular updates on our cybersecurity strategic plans, programs, and initiatives, and vulnerabilities and any applicable remediation efforts to the Cybersecurity Committee of the Board of Directors at its four regularly scheduled meetings per year. Our Incident Response Plans provide for notice, and continued updates, to the Cybersecurity Committee of applicable incidents on a timely basis. Ongoing program assessments are performed to monitor progress and identify opportunities for growth. Risk Assessment PTC conducts an annual cybersecurity maturity assessment. Periodically, we engage a third-party security consulting firm to conduct an Enterprise Security Maturity Assessment. This independent assessment provides a mechanism to benchmark our current risk profile and enables us to measure progress as we make program improvements. Identified cybersecurity risks are reviewed by the Cybersecurity Strategy Council, which ensures that risk tolerances are established and used to appropriately manage risks. Third-Party Vendor Risk Management Our Vendor Risk Management (VRM) program supports PTC in meeting its cybersecurity, privacy, regulatory and compliance obligations and managing risk associated with third-party vendors who have access to PTC IT systems and data. Prior to outsourcing or allowing third-party access to PTC or customer systems, IP, or data; risks associated with such activity are clearly identified and documented. The process of selecting a third-party vendor includes due diligence of the vendor service or product in question. Third-party companies using PTC facilities or accessing PTC’s IT Systems are subject to PTC’s VRM review and are required to demonstrate that proper security measures are in place before they have access to any PTC IT systems or data. All such vendors are to be approved by PTC’s VRM process and contractually bound to maintain appropriate cybersecurity technical and organization measures and to protect PTC’s data to which they may have access. Incident Response PTC maintains a formal Cybersecurity Incident Response Policy to address cybersecurity incidents. The Policy is tested on a regular basis, including a continuous improvement program involving periodic tabletop exercises. Cybersecurity incident handling is managed by individual organizations with cybersecurity responsibility and monitored/guided by applicable corporate functions. All Cybersecurity Incident Response Plans under the Policy are based on industry standards, such as the NIST Computer Security Incident Handling Guide - Special Publication 800-61. Management’s Role in Assessing and Managing Our Risks from Cybersecurity Threats Our Cybersecurity Program is overseen by executives on our Executive Leadership Team and managed by our Cybersecurity Strategy Council, including our Senior Vice President, Chief Information Security Officer (CISO), who reports to our Executive Vice President, Chief Digital Officer (CDO). Our CISO is responsible for day-to-day risk management activities, including staying informed about and monitoring prevention, detection, mitigation, and remediation efforts through regular communication and reporting from professionals in the information security team, and the use of technological tools and software. Our CDO is responsible for our broader IT program, which includes PTC’s ability to remediate and recover from a cybersecurity incident while reducing impacts to the business and operations. Our CDO and CISO regularly report directly to the Cybersecurity Committee of the Board of Directors on our Cybersecurity Program and efforts to prevent, detect, mitigate, and remediate issues. In addition, we have an escalation process in place to inform senior management and the Cybersecurity Committee and the Board of Directors of material issues. Management Experience Our CDO and CISO have extensive experience assessing and managing cybersecurity programs and cybersecurity risk. Our CDO joined PTC as Chief Digital Officer in January 2022 and is responsible for PTC’s global information technology (IT) team, overseeing PTC’s digital infrastructure and working with business leaders to guide PTC’s digital process optimization strategy. He has more than two decades of IT and operations leadership. Before joining PTC, he served as Global Vice President and Chief Information Officer for Avaya, where he led a globally-dispersed team of 1,200 IT professionals to support the entire global Avaya enterprise. Prior to Avaya, he held technology leadership roles at Arise Virtual Solutions Inc., Oracle, and Colorado College. Our CISO joined PTC as Cyber Information Security Officer in April 2022 and, before joining PTC, was the Vice President, Information Technology, North America and Europe for Alorica, where he led Alorica’s transformation to a secure endpoint architecture for 90,000 global remote and hybrid employees.

Company Information