PROS Holdings, Inc. 10-K Cybersecurity GRC - 2025-02-12

Page last updated on February 12, 2025

PROS Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-12 16:11:32 EST.

Filings

10-K filed on 2025-02-12

PROS Holdings, Inc. filed a 10-K at 2025-02-12 16:11:32 EST
Accession Number: 0001392972-25-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our Board recognizes the critical importance of maintaining the trust and confidence of our customers, business partners and employees. Our Board is actively involved in oversight of our risk management program, and cybersecurity represents an important component of our overall approach to enterprise risk management (“ERM”). Our cybersecurity policies, standards, processes and practices are integrated into our ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. In general, we seek to address cybersecurity risks through a cross-functional approach that is focused on preserving the confidentiality, integrity and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and responding to Cybersecurity Events when they occur. Risk Management and Strategy As a critical element of our overall ERM approach, our cybersecurity program is focused on the following key areas: Governance . As discussed in more detail under the heading “Governance” below, our Board and management devote significant time to cybersecurity risk oversight. The Board annually reviews our overall cybersecurity risk profile to help ensure that sensitive data remains secure in an ever-changing threat landscape, including risk preparedness and mitigation strategies. This assessment considers a range of factors, including our business objectives, the threat landscape, industry trends and regulatory requirements. The Audit Committee of the Board (“Audit Committee”) oversees our cybersecurity risk management and regularly meets, not less than quarterly, with our Chief Information Security Officer (“CISO”) and other members of management, including those with significant roles in our cybersecurity efforts. Our Executive Steering Committee, described below, provides senior management oversight to our cybersecurity program. Collaboration . We take a cross-functional approach to identify, prevent and mitigate cybersecurity threats and incidents, and implement controls and procedures designed to promptly escalate certain Cybersecurity Events to help ensure timely review, disclosure and reporting of such incidents. Technical Safeguards . We deploy technical safeguards designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which we evaluate and improve through vulnerability assessments and cybersecurity threat intelligence. Incident Response and Recovery Planning . We established and maintain incident response and recovery plans that address our response to a Cybersecurity Event, and test and evaluate such plans on a regular basis. Third-Party Risk Management . We maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as third-party systems that could adversely impact our business in the event of a Cybersecurity Event affecting those systems. Education and Awareness . We provide regular, mandatory training for our employees regarding cybersecurity threats and our security policies to equip our employees with tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices. We regularly assess and test our cybersecurity policies, standards, processes and practices. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We regularly engage recognized third-party experts to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. We adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. Governance Our Board, in coordination with the Audit Committee, oversees our ERM process, including the management of risks from cybersecurity threats. The Board and the Audit Committee receive regular presentations and reports on cybersecurity risks from our CISO, which can include a wide range of topics such as recent developments, evolving standards, security effectiveness, vulnerability assessments, third-party and independent reviews, the current and evolving threat environment, incident response planning, remediation efforts, employee training and awareness (such as the results of our annual cybersecurity training), technological trends and information security considerations arising with respect to our peers and third parties. On a quarterly basis, our Audit Committee discusses our approach to cybersecurity risk management with our CISO and other members of management, including planned initiatives to help the Board evaluate the effectiveness of our cybersecurity program. One of our independent directors, Ms. Hammoud, a seasoned software executive, is a member of the Audit Committee and also provides direct guidance on cybersecurity matters to our CISO outside of regularly scheduled Audit Committee and Board meetings. Our CISO, in coordination with our Executive Steering Committee, which includes our CEO, our Chief Financial Officer (“CFO”), our Executive Vice President, Engineering, our Senior Director, IT and our General Counsel, works collaboratively across the Company to implement a cybersecurity risk management program intended to protect our information systems from cybersecurity threats and to promptly respond to any Cybersecurity Events in accordance with our incident response and recovery plans. As part of that program, multidisciplinary teams across the Company (both standing, regular teams and special teams as needed) are deployed to provide governance over cybersecurity issues, address cybersecurity threats and to respond to Cybersecurity Events. Through ongoing communications with these teams, our CISO and management monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and report such threats and incidents to the Audit Committee, and in certain incidents to the Board, when appropriate. Our CISO has served in various roles in risk management and enterprise and cybersecurity for over 20 years, including serving as Deputy CISO at a global cybersecurity software company. Our CISO has attained numerous professional certifications, including Certified Information Systems Security Professional, Certified in Risk and Information Systems Control, Certified Information Security Manager, Certified Information Systems Auditor, and GIAC Security Operations Manager. Our CEO, who has decades of software engineering experience, has served as our CEO and as a member of our Board for fourteen years, during which time he has overseen our ERM program, including risks arising from cybersecurity threats. Our CFO and General Counsel each have more than 20 years of experience managing risks, including both at the Company and with other public companies. The other members of our Executive Steering Committee are all experienced leaders in their respective areas of management with extensive SaaS operational experience. In 2024, we did not identify any cybersecurity threats that materially affected or are reasonably likely to materially affect our business strategy, results of operations, cash flows or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, nor provide assurances that we have not experienced undetected Cybersecurity Events. For additional information about these risks, see Part I, Item 1A, “Risk Factors” in this Annual Report on Form 10-K.

Company Information