TTEC Holdings, Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

TTEC Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:36:30 EST.

Filings

10-K filed on 2025-02-27

TTEC Holdings, Inc. filed a 10-K at 2025-02-27 16:36:30 EST
Accession Number: 0001558370-25-001823

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy . The Company recognizes the critical importance of maintaining the trust and confidence of our clients, business partners, and employees, and has developed an information security program to address material risks from cybersecurity threats. We have implemented a cross-functional approach to preserving the overall integrity of the information that the Company collects and stores by identifying, preventing where possible, and mitigating cybersecurity threats, and responding to security incidents when they occur. We also maintain controls and procedures that enable prompt escalation of certain cybersecurity incidents so decisions about public disclosure and reporting of such incidents can be timely made. The Company relies on a comprehensive Enterprise Risk Management (“ERM”) program, which includes cybersecurity as an important component . Our cybersecurity program is focused on the following key areas: Risk Assessment and Remedial Measures . The Company engages in periodic cybersecurity and technology resilience risk assessments based on methodology and guidance from a recognized national standards organization; and utilizes periodic risk-based analysis for adopting, maintaining and adjusting security controls to address such risks. The following factors, among others, are considered by the Company in assessing its cybersecurity risks, mitigation, and remediation strategies: the likelihood and severity of risk; impact on the Company and others, if a risk materializes; feasibility and cost of controls; and impact of controls on operations and on others. The specific controls used by the Company vary based on the specific systems, but usually include firewalls, intrusion prevention and detection systems, anti-malware technical safeguards and access controls, endpoint threat detection and response (EDR), identity and access management (IAM), privileged access management (PAM), logging and monitoring using security information and event management (SIEM), multi-factor authentication (MFA), vulnerability and patch management, third-party dark web monitoring and threat-intelligence services. The Company periodically tests its cybersecurity policies, standards, processes, and practices. The testing conducted by our in-house security teams includes audits, assessments, tabletop exercises, threat modeling, penetration testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The Company also regularly engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits, and independent reviews of our information security control environment and operating effectiveness. Individual controls are evaluated and periodically improved through vulnerability assessments and cybersecurity threat intelligence. The Company adjusts its cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, audits, and reviews. The Company’s Chief Security Officer (“CSO”) works collaboratively across the Company with other members of TTEC’s leadership team to implement cybersecurity programs designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to cybersecurity incidents in accordance with the Company’s incident response and recovery plans. To facilitate the success of the company’s cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and respond to cybersecurity incidents. Third-Party Risks . The Company maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties , including vendors, service providers, and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Business Continuity and Incident Response . The Company has established and maintains comprehensive business continuity, disaster recovery, and incident response plans that address the Company’s response to cybersecurity incidents, among other events that require resilient response. We conduct periodic tabletop exercises and other testing of these plans to enhance incident response preparedness for potential disruption to technology we rely on in our business. Education and Awareness . The Company requires employees to complete periodic mandatory training on cybersecurity threats to equip the Company’s personnel with tools to address cybersecurity threats, and to communicate the Company’s evolving information security policies, standards, processes, and practices. Although the Company has confidence in the security measures and processes it deploys to protect its environment from cybersecurity threats, neither the Company nor the third parties it relies on may be able to fully, continuously, and effectively implement security controls as intended. As stated above, we utilize a risk-based approach and judgment to determine which security controls to implement, and it is possible we may not implement appropriate controls if we fail to recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate, but not fully eliminate, risks. The full impact of security events, when detected by security tools or third parties, may not always be immediately understood or acted upon. Governance. The Company’s Board of Directors (the “Board”), in coordination with its Audit Committee , oversees the Company’s overall ERM process, and has delegated the management of risks arising from cybersecurity threats to the Security & Technology Committee , which regularly interacts with the Company’s CSO (who maintains chief information security officer (“CISO”) responsibilities at TTEC among other responsibilities), Chief Information Officer (“CIO”), the Chief Privacy Officer, Chief Legal & Risk Officer, and other members of management. The Security & Technology Committee of the Board receives regular reports on the Company’s cybersecurity risks, vulnerability assessments, third-party and independent reviews, and the steps the Company is taking to address the security risks, among other relevant information, and shares information with the full Board as appropriate. The Board also has access to and periodically meets with the Company’s CSO, CIO, and Chief Legal & Risk Officer about the approaches and progress that the Company is making on its cybersecurity risk management priorities. The Board and the Security & Technology Committee also receive prompt information regarding cybersecurity incidents that meet established reporting thresholds, as well as ongoing updates regarding any such incidents until they have been addressed. Our CSO holds an undergraduate degree in Computer Science and has served in various information technology and information security roles, including serving as the CSO for two public companies as well as various leadership roles in two medium sized private companies over the last 30 years. Our CIO holds an undergraduate degree in Computer and Electrical Engineering and has served in various roles in information technology for over 25 years, including serving as either the chief technology officer or chief information officer for two large public companies and a technology start-up. The Company has previously experienced significant cybersecurity incidents. Although cybersecurity threats, including any previous cybersecurity incidents, have not materially affected and we believe are not reasonably likely to materially affect the Company , there can be no assurances that future cybersecurity incidents, which are unavoidable, will not materially affect our results of operations, including our business strategy, results of operations, or financial condition.

Company Information