Concentrix Corp 10-K Cybersecurity GRC - 2025-01-28

Page last updated on January 28, 2025

Concentrix Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-01-28 08:00:56 EST.

Filings

10-K filed on 2025-01-28

Concentrix Corp filed a 10-K at 2025-01-28 08:00:56 EST
Accession Number: 0001803599-25-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY As a global technology and services leader, our business is heavily dependent upon information technology networks and systems. Protecting our systems, data, and information, as well as the information and data of our game-changers, clients, and partners, is a key priority. We have established and maintain a corporate-wide information security management system and an integrated risk management framework with practices that are derived from industry standards, including ISO 31000, ISO 27001, HITRUST, PCI DSS, and the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, and data privacy regulations, including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the General Data Protection Regulation (“GDPR”). The data security controls from these standards and regulations are evaluated as a component of our risk management framework, based on the needs of our business and our clients, the nature of our industry, and applicable regulations. Risk Management and Strategy We have implemented and maintain an Information Security Management System (“ISMS”) that covers information security, data protection, cybersecurity, application security, and other areas as necessary. As a part of our ISMS, we evaluate our security risk strategy on an ongoing basis to facilitate our response to the changing cybersecurity threat landscape and build a culture of security within Concentrix, we allocate and evaluate available resources, including technology, infrastructure, and personnel, to support information security initiatives, we regularly identify security risks and prepare and continuously update mitigation and response plans, including with respect to risks related to the use of our third party service providers, we report, investigate, and respond to suspected or confirmed information security risks, and we maintain a business continuity management process to counter potential interruptions to business activities and a data privacy program to protect personal and sensitive information. We regularly evaluate the ISMS for compliance with applicable regulatory, legislative, and contractual requirements, as well as recent trends and developments in security. Our management team gathers information to support our efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents from various sources, including reports from internal security personnel, threat intelligence, and other information obtained from governmental, public, or private sources, including external consultants engaged by us, and alerts and reports produced by the information security tools we utilize. Our Cyber Defense Operations Center (the “CDOC”) is a security operations center that operates 24 hours a day, seven days a week and is our first line of defense against cybersecurity threats. The CDOC continually monitors our information technology security infrastructure for anomalous behavior and other indications of potential threats to protect our data and systems. We regularly conduct internal and external audits, reviews, assessments, and evaluations to evaluate our compliance posture and the effectiveness of our physical, technical, and organizational measures for protecting us and our systems. Elements of our cybersecurity program are also periodically audited as part of external certification audits. Third-party managed security providers and cybersecurity experts provide us with 24x7 monitoring, threat hunting, risk assessments, penetration testing, and attack surface management to support our Cyber Security Framework. Key findings from cybersecurity audits and third-party risk assessments are summarized and communicated to our senior leadership and the Audit Committee, and remediation actions are implemented to enhance our overall cybersecurity program. We contractually require our vendors to comply with cybersecurity and data privacy requirements, and we perform risk assessments of vendors, including their ability to protect data from unauthorized access. To facilitate the success of our risk management framework, multidisciplinary teams throughout the Company, including members of the legal department, operations, and senior management, are deployed to support risk mitigation and our response to threats and potential cybersecurity incidents. We also regularly conduct training and education to upgrade our game-changers’ knowledge of security risks and vulnerabilities. In fiscal year 2024, our game-changers completed mandatory security awareness training, resulting in a company-wide pass percentage of 95%. In August 2024, we held a Cyber and Fraud Awareness Month, which promoted best practices and vigilance in protecting information and data to prevent cyber-attacks, and educated game-changers on how to report phishing or suspicious messages through a dedicated reporting channel. We are currently not aware of any cybersecurity incidents or threats that have materially impacted us or our business, financial condition, and results of operations. However, we and our clients routinely face risks of cybersecurity incidents, and there can be no assurance that our security efforts and measures, and those of our third-party providers, will prevent or mitigate a cybersecurity threat or incident that could adversely affect our business. For a discussion of these risks and others that we face, see “Risk Factors” in this Annual Report on Form 10-K. Governance Our board of directors, directly and indirectly through its committees, has oversight responsibility for our risk management process, including risks related to cybersecurity. Our board of directors has delegated to the Audit Committee oversight responsibility for the Company’s risk assessment and management activities, including with respect to information technology, cybersecurity, and privacy. As part of our integrated enterprise risk management program, management reports periodically to the Audit Committee on its assessment of our risks and risk management practices, including with respect to ongoing or new cyber and information security risks. Management also reports quarterly to the Audit Committee and annually to the full board of directors on the status of our cybersecurity program, which includes key cybersecurity controls, audits, and compliance, and on any significant projects or areas of focus for the cybersecurity team. Our cybersecurity risk management framework is implemented by our global security team , which is led by our EVP, Information Technology and Global Security, our SVP, Information Systems and Global Security, and our GVP, Governance, Risk, and Compliance. As the leaders of our global security efforts, these roles and their teams support the establishment and maintenance of our corporate-wide information security program to protect our information assets and to oversee our cybersecurity and insider risk and compliance teams. Our SVP, Information Systems and Global Security, and our GVP, Governance, Risk, and Compliance report to our EVP, Information Technology and Global Security, and our EVP, Information Technology and Global Security reports to our Chief Executive Officer. Our EVP, Information Technology and Global Security has over 40 years of global information technology leadership experience, including hands-on management and technology innovation experience. He provides strategic direction for the design, implementation strategy, and Governance of Concentrix Global Infrastructure, Information Security and Application development. Our SVP, Information Systems and Global Security has an undergraduate degree in Information Technology and over 24 years of global experience in cybersecurity strategy and risk management in various leadership roles at large companies and within government, with extensive experience in the development of and enforcement of security policies, protection of sensitive data, responding to cyber and fraud incidents, and integrating security across operations. Our SVP, IT Infrastructure has over 29 years of experience in managing a large, geographically dispersed team that designs, plans, implements, and maintains a complex IT infrastructure and operations. He has also played a critical role in the development of security technologies at Concentrix. Our GVP, Governance, Risk, and Compliance has over 22 years of global experience in information security with specialization in risk management, security tools and technologies, compliance, and privacy. His experience in information security spans advisory and consulting, policy, processes and standards, engineering, and operational support for clients and the internal organization.

Company Information