PROS Holdings, Inc. 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

PROS Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 15:50:59 EST.

Filings

10-K filed on 2024-02-14

PROS Holdings, Inc. filed an 10-K at 2024-02-14 15:50:59 EST
Accession Number: 0001392972-24-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our Board recognizes the critical importance of maintaining the trust and confidence of our customers, business partners and employees. Our Board is actively involved in oversight of our risk management program, and cybersecurity represents an important component of our overall approach to enterprise risk management ( ERM ). Our cybersecurity policies, standards, processes and practices are integrated into our ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. In general, we seek to address cybersecurity risks through a cross-functional approach that is focused on preserving the confidentiality, integrity and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and responding to cybersecurity incidents when they occur. Risk Management and Strategy As one of the critical elements of our overall ERM approach, our cybersecurity program is focused on the following key areas: Governance . As discussed in more detail under the heading Governance below, our Board and management devote significant time to cybersecurity risk oversight. The Board annually reviews our overall cybersecurity risk profile to help ensure that sensitive data remains secure in an ever-changing threat landscape, including risk preparedness and mitigation strategies. This assessment considers a range of factors, including our business objectives, the threat landscape, industry trends and regulatory requirements. The Audit Committee of the Board (“Audit Committee”) spearheads the oversight of our cybersecurity risk management and regularly meets, not less than quarterly, with our Chief Information Security Officer ( CISO ) and other members of management, including those with significant roles in our cybersecurity efforts. Our Executive Steering Committee, described below, provides senior management oversight to our cybersecurity program. Collaborative Approach . We have implemented a cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Technical Safeguards . We deploy technical safeguards designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Incident Response and Recovery Planning . We have established and maintain incident response and recovery plans that address our response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis. Third-Party Risk Management . We maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Education and Awareness . We provide regular, mandatory training for our employees regarding cybersecurity threats and our security policies to equip our employees with tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices. We regularly assess and test our cybersecurity policies, standards, processes and practices. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We regularly engage recognized third-party experts to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. We adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. 22 Table of Contents Governance Our Board, in coordination with the Audit Committee, oversees our ERM process, including the management of risks from cybersecurity threats. The Board and the Audit Committee receive regular presentations and reports on cybersecurity risks from our CISO, which address a wide range of topics including recent developments, evolving standards, security effectiveness, vulnerability assessments, third-party and independent reviews, the threat environment, incident response planning, remediation efforts, employee training and awareness (including the results of our annual cybersecurity training), technological trends and information security considerations arising with respect to our peers and third parties. On a quarterly basis, our Audit Committee discusses our approach to cybersecurity risk management with our CISO and other members of management, including planned initiatives to help the Board evaluate the effectiveness of our cybersecurity program. One of our independent directors, Ms. Hammoud, a seasoned software executive, participates in Audit Committee meetings during cybersecurity sessions and provides direct guidance to our CISO outside of regularly scheduled Board meetings on cybersecurity matters. Our CISO, in coordination with our Executive Steering Committee, including our CEO, our Chief Financial Officer ( CFO ), our Executive Vice President, Engineering, our Director of IT and our General Counsel, works collaboratively across the Company to implement a program intended to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. To facilitate the success of our cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to provide governance over cybersecurity issues, address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, our CISO and management monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to the Audit Committee, and in certain incidents to the Board, when appropriate. Our CISO has served in various roles in risk management and enterprise and cybersecurity for over 20 years, including serving as Deputy CISO at a global cybersecurity software company. Our CISO has attained numerous professional certifications, including Certified Information Systems Security Professional, Certified in Risk and Information Systems Control, Certified Information Security Manager, Certified Information Systems Auditor, and GIAC Security Operations Manager. Our CEO, who has decades of software engineering experience, has served as our CEO and as a member of our Board for thirteen years, during which time he has overseen our ERM program, including risks arising from cybersecurity threats. Our CFO and General Counsel each have more than 20 years of experience managing risks, including both at the Company and with other public companies. The other members of our Executive Steering Committee are all experienced leaders in their respective areas of management with extensive SaaS operational experience. In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, cash flows, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. For additional information about these risks, see Part I, Item 1A, “Risk Factors” in this Annual Report on Form 10-K.

Company Information