SPS COMMERCE INC 10-K Cybersecurity GRC - 2025-02-18

Page last updated on February 19, 2025

SPS COMMERCE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-18 20:19:10 EST.

Filings

10-K filed on 2025-02-18

SPS COMMERCE INC filed a 10-K at 2025-02-18 20:19:10 EST
Accession Number: 0001092699-25-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have an established security program and framework based on ISO/IEC 27001 (“Security Program”) and maintain ISO/IEC 27001:2013, SOC 1 Type 2, and SOC 2 Type 2 certifications. The Security Program has been established to allow management oversight of cybersecurity risks, institute directives and principles for information security, ensure alignment to regulatory and contractual cybersecurity obligations, and enable timely incident response and remediation. Our information security team has implemented and continues to maintain various technical, physical, and administrative controls as the foundation of our Security Program, which are designed to help us identify, manage, prevent, and mitigate risks from cybersecurity threats, including, but not limited to, incident detection systems and response plans, vulnerability management tools and processes, risk assessments, disaster recovery and business continuity plans, access controls, asset management, logging and monitoring, security awareness training, and third-party risk management programs. Our information security team actively monitor and evaluate our networks, systems, data, and security risk profile to identify and assess cybersecurity risks. We use a variety of methods to identify and evaluate these risks using manual and automated tools and processes, including, network scans, vulnerability and maturity assessments, and subscribing to services and reports providing threat intelligence. In doing so, risks are assessed for criticality, prioritized in context of our business, and communicated to stakeholders for engagement as needed. We use a variety of third-party service providers to support and execute on our Security Program. These third parties provide cybersecurity consulting services, cybersecurity software, penetration testing, audits, and other professional services to aid us in identifying, assessing, and managing risks from cybersecurity threats. The Security Program is led by our Chief Information Security Officer (“CISO”) , who has served in the role since 2023, has over 10 years of experience leading cybersecurity programs in a large, publicly traded, international enterprise, and is a Certified Information Systems Security Professional (“CISSP”). Our Executive Security Steering Committee (“ESSC”), comprised of selected members of leadership, assesses and manages any material risks from cybersecurity threats and manages our Security Program. The CISO and information security team provide regular updates to the ESSC on our Security Program and, in accordance with our security incident response plan, escalate applicable cybersecurity threats or incidents to the ESSC for review and management. SPS COMMERCE, INC. 23 Form 10-K for the Annual Period ended December 31, While we have experienced cybersecurity incidents and expect to continue to be subject to such incidents, to date, we have not experienced any cybersecurity incidents that have materially affected our business, financial condition, or results of operations. However, we are subject to ongoing risks from cybersecurity threats that could materially affect us, including our business, financial condition, or results of operations, as further described in Part I, Item 1A, “Risk Factors” of this Annual Report on Form 10-K. Governance Our Audit Committee of our board of directors oversees our risk management processes related to cybersecurity risks and is regularly informed of such risks through presentations or reports from our CISO. Through committee reports, the Audit Committee apprises the full board of directors of any significant cybersecurity updates. In addition, our security incident response plan includes reporting certain cybersecurity incidents to our Audit Committee. Finally, our board of directors reviews cybersecurity risks on an annual basis, including discussing with management, our CISO, and members of the ESSC our strategy surrounding prevention, detection, mitigation, and remediation of potential security threats.

Company Information