CIENA CORP 10-K Cybersecurity GRC - 2024-12-20

Page last updated on December 20, 2024

CIENA CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-20 15:17:13 EST.

Filings

10-K filed on 2024-12-20

CIENA CORP filed a 10-K at 2024-12-20 15:17:13 EST
Accession Number: 0000936395-24-000044

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Oversight and Governance Our Board of Directors and the Audit Committee of our Board of Directors (the “Audit Committee”) are responsible for overseeing and assessing management’s execution of and approach to cybersecurity risk management. Our Chief Information Security Officer (“CISO”), who reports directly to our Chief Financial Officer, is primarily responsible for assessing cybersecurity risks and managing our cybersecurity program on a day-to-day basis, with support from other members of senior management. Our CISO is an accomplished security professional with 20 years of experience in cybersecurity and risk management across numerous industries and holds degrees in computer science and information assurance, and additional executive education in building and leading cybersecurity programs. The CISO and his team (the “Security Team”), which includes trained cybersecurity professionals, are responsible for implementing and maintaining our cybersecurity strategy and program and its related processes. We also maintain a Security Advisory Committee (“SAC”), which is chaired by our Chief Financial Officer and composed of members of executive leadership and other functional leaders, including our General Counsel, CISO, Chief Digital Information Officer, and Vice President of Internal Audit. The SAC meets regularly to, among other things, review cybersecurity program developments and serves as a path of escalation and decision-making in certain situations, including incident response. We, and our managed security partners, regularly monitor our environment for indicators of malicious or suspicious activity and security relevant events. The potential risk and impact of any such event is evaluated by a cross-functional team that includes members of our Security Team, legal department and other business functions as necessary and appropriate. Materiality determinations related to escalated events are made by the SAC without unreasonable delay. The CISO, on a quarterly basis, generally provides the Audit Committee a summary of relevant cybersecurity events, with certain events escalated to the Audit Committee outside of these quarterly meetings depending upon their nature. As part of our Board of Directors’ oversight of risk management, they devote time and attention to cybersecurity related risks. The Audit Committee is responsible for overseeing cybersecurity, data privacy and information technology-related programs, policies and other efforts to manage or mitigate cybersecurity risks. As part of its standing agenda, the Audit Committee receives quarterly updates on cybersecurity risks and initiatives from our CISO. These updates have included reviews of our cybersecurity risk management efforts, including the development of relevant processes and policies, the implementation of technologies and systems, or use of third-party partners to safeguard our information systems, the conduct of education and training initiatives with employees and business partners, and incident response preparedness, including simulations and tabletop exercises. The Audit Committee regularly updates the Board of Directors on such matters. Separately, and in addition to such quarterly reporting, our Board of Directors also receives an annual update from our CISO on information and cybersecurity risks and related initiatives. These Board updates have included briefings from our CISO, as well as external counsel and third-party security advisors, which have included continuing education sessions as our Board of Directors seeks to enhance its understanding of cybersecurity risk, leading practices and an evolving cyber threat landscape. Risk Management and Strategy The safeguarding of information systems, that house employee and customer data, and proprietary information, are of paramount importance to us, our business and our reputation. We maintain a robust and proactive enterprise cybersecurity program designed to identify, assess and manage cybersecurity risks that may impact our business or assets. Cybersecurity Strategy Our cybersecurity strategy focuses on (i) maintaining a cybersecurity framework and set of controls to assess and manage security risks and (ii) protecting against threats by deploying and monitoring security controls and mitigating exposures and potential threats. We maintain a security program designed to align with industry standards, principles, and frameworks, such as those set by the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO). Our program is also informed by various legal requirements including contractual requirements from our customers. In addition, we maintain internal policies and procedures that govern the measures we take to secure our information technology environment. These include a wide variety of capabilities designed to prevent, detect, or address risks to systems and data. We also employ a range of tools and services, including regular network and endpoint monitoring, penetration testing, and vulnerability assessments, to inform our risk identification and management strategy. Security Risk Management Our Security Team regularly assesses cybersecurity risks, including their likelihood and potential impact, to develop mitigation strategies. The team utilizes enterprise governance, risk, and compliance solutions and tools licensed from third-party vendors to conduct various analytic assessments, including cloud and container security, detection and response, threat intelligence, and application security assessments. We also routinely evaluate and update our understanding of our cybersecurity threat landscape and evolve our related assessments and mitigation strategies accordingly. We regularly review our cybersecurity program for compliance with evolving regulations and to protect against emerging cyber threats. Because we operate in a dynamic threat landscape, we conduct regular reviews of our program and procedures, and we periodically engage third parties to supplement and review our cybersecurity practices. We also maintain a cybersecurity risk insurance policy as part of our risk management efforts, and regularly engage and collaborate with peers, industry groups, and U.S. government partners relating to cybersecurity risk management and the evolving threat environment. We seek to identify and address cybersecurity threats and risks that can arise from our use of third parties, including those that comprise our information systems, supply chain operations or who have access to certain data. We utilize supplier risk management practices, including enhanced due diligence assessments, that seek to identify cybersecurity risks associated with our use of third-party providers and the scope and nature of their work with us. These risks are assessed and prioritized based on, among other things, supplier assessments, threat intelligence, and industry practices. We consider these risks at the time of supplier onboarding and endeavor to assess changes in risk throughout the lifecycle of our relationship with suppliers. Promoting an engaged and aware workforce is a key part of our cybersecurity defense program. We carry out regular security awareness training for our personnel to help them better identify and address potential cybersecurity issues. This includes regular exercises to simulate and detect phishing attempts, various awareness and communication initiatives and required online security awareness training at the time of hire and generally on an annual basis thereafter. Incident Response Readiness We utilize a combination of internal and third-party resources to monitor for threats to our network, systems and data. To promote cybersecurity readiness and advance the preparedness of our teams, our cross-functional incident response teams maintain an incident response plan, in addition to more technical response playbooks, and meet regularly to assess these resources. Among other things, they perform “tabletop” simulation exercises, internally and with third-party experts, to outline their roles and responsibilities during a cybersecurity event and to refine risk identification and management practices. We have in the past, and may in the future, utilize third-party cyber security assessors or consultants to review our program, to share their findings with our Board of Directors or leadership, and to help identify opportunities for continuous improvement. Additional information about cybersecurity risks we face is discussed in Item 1A of Part I of this annual report, “Risk Factors,” including under the heading “Data security breaches and cyber-attacks targeting our enterprise technology environment and assets could compromise our intellectual property, technology or other sensitive information and could cause significant damage to our business, reputation and operational capacity,” which should be read in conjunction with the information above. While we continue to monitor, identify, investigate, respond to, and manage cybersecurity threats, risks and incidents, to date we have not experienced cybersecurity risks, including as a result of previous cybersecurity incidents, that have had a material effect. There can be no assurance that we will not experience such risks in the future.

Company Information