Bandwidth Inc. 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

Bandwidth Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 16:12:08 EST.

Filings

10-K filed on 2025-02-20

Bandwidth Inc. filed a 10-K at 2025-02-20 16:12:08 EST
Accession Number: 0001514416-25-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. Our enterprise-wide information security program is designed to identify, protect, detect, respond to and manage reasonably foreseeable cybersecurity risks and threats. We use a widely-adopted risk quantification model to identify, measure and prioritize cybersecurity threats and develop related security controls and safeguards. We conduct regular periodic reviews and tests of our information security program and also leverage audits by our internal audit team, tabletop exercises, penetration and vulnerability testing internally and with external independent third-parties, threat modeling, simulations, and other exercises in an effort to evaluate the effectiveness of our information security program and improve our security measures and planning. We have implemented incident response and breach management processes, which have four overarching and interconnected workflows: (1) detection and analysis of a security or privacy incident, (2) investigation, mitigation and remediation, (3) reporting and notification, and (4) post-incident analysis. These processes may involve participants from our information security, network, information technology, software development, executive and legal teams. From time to time, we also conduct exercises to simulate responses to cybersecurity incidents. Our team of cybersecurity professionals collaborates with legal, technical and business stakeholders to further analyze the risks to the company and form detection, mitigation and remediation strategies. As part of the processes described above, we regularly engage external auditors and consultants to assess our cybersecurity programs and compliance with applicable practices and standards. Our Information Security Management System has been certified to conform to the requirements of ISO/IEC 27001:2013 and AICPA SOC 2 Type II, which includes all five of the Trust Services Criteria. Our Vendor Risk Management (“VRM”) program aids in evaluating the cybersecurity and data privacy risks associated with the use of vendors and other third parties that will be processing, storing, or handling Bandwidth employee, business or customer data. The VRM program is designed to evaluate third-party risk, advise on selection or implementation recommendations, and inform privacy, security and data protection contractual terms. We rely, however, on the third parties we use to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful. Our Application Security program performs static and dynamic scanning of systems and software code. In addition, we perform vulnerability scans daily on our systems and assets. With respect to cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner with continuous monitoring from our Security Operations Center. These tools include, but are not limited to, Endpoint Detection and Response, Security Information and Event Management, Attack Surface Management, Static Application Security Testing, Dynamic Application Security Testing, DDoS Mitigation Services, threat detections including intelligence and brand monitoring, intrusion detection sensors, network firewalls and web application firewalls. There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information. Our systems periodically experience directed attacks intended to lead to interruptions and delays in our service and operations as well as loss, misuse or theft of personal information (of third parties, employees, and our members) and other data, confidential information or intellectual property. We have not experienced any material cybersecurity events in the last three fiscal years, and expenses incurred in connection with cybersecurity incidents were not material. However, we do face risks from similar attacks and other cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations or financial condition. Further, an attack on, or penetration of, our systems or a third-party’s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputation risks. See “Risk Factors - Attacks on or breaches of our networks or systems, or those of third parties upon which we rely, could degrade our ability to conduct our business, compromise the integrity of our services and our communications platform, result in service degradation or outages, significant data losses, the theft of our intellectual property, investigations by government agencies and damage to our reputation, and could expose us to liability to third parties and require us to incur significant additional costs to maintain the security of our networks and data,” included elsewhere in this Annual Report on Form 10-K. Cybersecurity Governance Our board of directors oversees our annual enterprise risk assessment, where we assess key risks within the company, including security and technology risks and cybersecurity threats. Our board of directors receives an update on Bandwidth’s risk management process at least annually, and receives quarterly cybersecurity updates from our Chief Information Officer (“CIO”) . Our CIO and our Vice President, Information Security lead our global information security organization and are responsible for overseeing our information security program. Our Vice President, Information Security has over 25 years of industry experience, including serving in similar roles, building, leading and overseeing cybersecurity programs at other private and public companies. Team members who support our information security program have relevant educational and industry experience, including application security, security operations, forensic and incident response, governance, risk and compliance. At the management level, our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach. Key security, operations, legal and compliance stakeholders meet regularly to discuss strategies designed to preserve the confidentiality, integrity and availability of our and our customers’ information by identifying and mitigating cybersecurity threats, and effectively responding to cybersecurity incidents. Our Executive Security Committee, which includes our Chief Operating Officer, our CIO, our Chief Technology Officer, our Chief Development Officer, our General Counsel and other cross-functional participants, meets monthly to evaluate our cybersecurity risks and related response efforts. Cybersecurity Education and Awareness We monitor emerging laws and best practices related to data protection, privacy and information security. We regularly remind employees of the importance of handling and protecting customer and employee data, and our policies require each of our employees to undergo annual privacy and information security training designed to enhance employee awareness of how to detect and respond to cybersecurity threats.

Company Information