TERADATA CORP /DE/ 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

TERADATA CORP /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 11:47:06 EST.

Filings

10-K filed on 2024-02-23

TERADATA CORP /DE/ filed an 10-K at 2024-02-23 11:47:06 EST
Accession Number: 0000816761-24-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk Management and Strategy Our cybersecurity program is designed to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Enterprise Risk Management. We have processes in place for assessing, identifying, and managing material risks from cybersecurity threats, which are integrated into our Enterprise Risk Management (“ERM”) program. Our ERM program, which is coordinated through our Enterprise Risk and Internal Audit function (“ERAS team”), includes the identification of risks relevant to Teradata s business, including material risks from cybersecurity threats; assigning personnel responsible for such risks; the development of strategies and plans to monitor, assess, and mitigate such risks; and oversight of the identified risks through regular reporting and risk evaluations with management, our Board, and/or relevant Board committee. Our ERAS team works closely with the Information Security function, including our Chief Information Security Officer (“CISO”), in the cybersecurity risk management process that informs the ERM program. Cybersecurity Processes. The processes in place for managing cybersecurity threats, including threats associated with our use of third-party service providers, include identifying potential cybersecurity threats; defining the roles and responsibilities of our personnel pursuant to our Cybersecurity Incident Response Plan (“CIRP”); continuous testing and training of our employees on cybersecurity risks and security hygiene; communication and escalation protocols; and tools and technologies for incident detection and responses . We continuously assess risks and changes in the cybersecurity environment and adjust our processes and cybersecurity investments as appropriate. Our information security processes are built upon a foundation of advanced security technology, a trained team of security experts, and operations based on various global practices, standards, and frameworks, 27 Table of Contents including the International Organization for Standardization, International Electrotechnical Commission, and National Institute of Standards and Technology Cybersecurity Framework. We maintain policies, procedures, and controls that are designed to identify, protect, detect, respond to, and recover from information security and cybersecurity threats and incidents. Such items are reviewed, approved, and maintained by our CISO on an ongoing basis. In addition, we engage external advisors periodically to review and assess our policies, procedures, and controls. Our CIRP provides a documented framework for handling cybersecurity incidents. The CIRP addresses cybersecurity incident detection, containment, analysis, eradication, recovery, escalation protocols, and coordination across multiple functions of the organization. We have processes to manage cybersecurity risks associated with third-party service providers. Such providers are subject to information security assessments at the time of onboarding and at certain other times during their engagement with us. We require our providers to meet appropriate security requirements, controls, and responsibilities and comply with certain cybersecurity and data security standards that we have. We monitor compliance with these standards and investigate security incidents to take appropriate actions as necessary. However, despite the controls that we have in place, we also rely on our third-parties to implement security programs and we cannot ensure in all circumstances that their efforts will be successful. We maintain an annual cybersecurity training plan including employee training on cybersecurity risks, requirements, and incident reporting. As part of our training plan, we regularly perform phishing tests of our employees. In addition, our security training incorporates awareness of cyber threats (including but not limited to malware, ransomware, and social engineering attacks), password hygiene, incident reporting process, as well as physical security best practices. On an annual basis, our employees must complete cybersecurity awareness training. We perform simulations and drills to review and test our information security program, including tabletop exercises, penetration and vulnerability testing, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. We maintain insurance to provide coverage for certain losses from cybersecurity threats and incidents. We have developed business continuity and disaster recovery capabilities to mitigate interruptions to critical information systems and the loss of data and services from the effects of natural or man-made disasters to Teradata systems. Cybersecurity Incidents. To protect our information systems from cybersecurity incidents and threats, we use various security tools that help prevent, identify, escalate, investigate, resolve, and recover from identified vulnerabilities and security incidents in a timely manner. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding materiality of the incident and any necessary public disclosure and reporting of such incidents can be made in a timely manner. In the last three fiscal years, we have not experienced any material cybersecurity incident and the expenses we have incurred from security incidents were immaterial. As a result, we do not believe that cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially impacted our results of operations and financial condition. As cybersecurity threats become more sophisticated and coordinated, it is reasonably likely that we will be required to expend greater resources to continue to modify and enhance our protective measures as we pursue our business strategies. Cybersecurity Risks. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity incidents may not be fully insured. See “Risk Factors A cybersecurity incident, disruption, or failure of our information systems or those of our third-party providers could adversely impact our reputation, business, and financial results.” Governance Board Oversight of Cybersecurity Risk . Our Board s role is to engage in informed oversight of enterprise-wide risks as managed through our ERM program, including cybersecurity. While the full Board has overall 28 Table of Contents responsibility for risk oversight, the Board has delegated oversight responsibility related to risks from cybersecurity threats to the Audit Committee. The Audit Committee is responsible for reviewing the adequacy and effectiveness of the Company s information security policies, the internal controls regarding information security and cybersecurity, and risks related to such exposures and actions taken to monitor and/or mitigate such risks. The Audit Committee receives quarterly reports as part of its meeting materials prepared by our CISO regarding the assessment of the status, adequacy, and effectiveness of our processes related to assessing, identifying, and managing cybersecurity risks and related mitigation plans. In addition, at least twice per year, the Audit Committee meeting agenda includes a presentation by the CISO to review and discuss the CISO s report on cybersecurity risks, mitigation plans and the steps the security team has taken to monitor and control related exposures. The Audit Committee reports to the Board on cybersecurity matters discussed at its meetings and the CISO s quarterly reports are provided to the Board as part of their meeting materials for their information as well. Executive Oversight of Cybersecurity. Management is responsible for the Company s planning, identification, assessment, and mitigation of risks from cybersecurity threats. Our CISO, Chief Legal Officer, and Chief Financial Officer comprise our Core Cybersecurity Management Team (the “CCMT”) . The CCMT has oversight of Teradata s CIRP and is informed and consulted on the response and resolution process for cybersecurity incidents . The CCMT is responsible for determining communications to inform relevant stakeholders of cybersecurity incidents as applicable, relevant, and/or required, including the Board; Audit Committee; the executive leadership team; investors; customers; employees; law enforcement; and regulators. Depending on the nature and/or severity of the incident, additional stakeholders within the broader enterprise-wide management team may be included in the assessment, response, and resolution of an incident by the CCMT. The broader management team for this purpose may include, but is not limited to, executive and senior leaders in our Product, Customer, People, Information Technology, and Law functions, as well as others that may be considered necessary (collectively referred to as the “ECMT”). The ECMT provides oversight, perspective, and support from their respective areas of expertise to assist in analyzing the cybersecurity incident, materiality of the incident, and remediation considerations. CISO and Cybersecurity Team . Our Information Security function is led by our CISO and is responsible for executing our enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. The Information Security function consists of qualified professionals in cybersecurity. This team sets the cybersecurity strategy for Teradata; develops Teradata s cybersecurity architecture and deploys and manages tools and technologies aligned with such architecture to safeguard our information systems; manages the cybersecurity training required of our employees; monitors our cybersecurity threats and incidents; escalates the occurrence of cybersecurity incidents pursuant to the CIRP; and addresses and incorporates mitigation items. The CISO appoints a Cybersecurity Incident Response Coordinator (“CIRC”) to lead the management of cybersecurity incidents. The primary responsibilities of the CIRC include, but are not limited to: receiving and tracking all reported potential cybersecurity threats; escalating incident response; determining relevant stakeholders of the Information Technology function and cybersecurity incident response team, which team is selected by CIRC to serve as the lead function for investigating and coordinating cybersecurity incidents; alerting the applicable support functions of the potential cybersecurity threat and any defensive action that would be required; and alerting management, as applicable and necessary, of the potential cybersecurity threat. Members of our Information Security function have broad ranges of qualifications and experience in information technology and security. Our CISO has over 25 years of information security experience during which he has worked on various information technology and security programs, including privacy operations and security risk management. He has experience with many different types of enterprises, including the federal government, private companies, and publicly listed companies. Our CISO has a Bachelor of Science in Information Technology and an MBA. 29 Table of Contents The team within the Information Security function (referred hereinto as the “cybersecurity team”) possesses a robust blend of technical knowledge, practical skills, and strategic insight, gained through years of experience in the field of cybersecurity. Our cybersecurity team includes professionals certified in a wide array of cybersecurity disciplines. Their qualifications include, but are not limited to, Certified Information Systems Security Professional (“CISSP”) for general security practices, Certified Ethical Hacker (“CEH”) for penetration testing capabilities, Certified Information Systems Auditor (“CISA”) for information systems auditing, Certified Information Security Manager (“CISM”) for overseeing enterprise security, Certified Risk and Information Systems Control (“CRISC”) for risk management, and Certified Cloud Security Professional (“CCSP”) for cloud security expertise. Additionally, they possess various other certifications in specific technologies and cloud security from providers like AWS and Microsoft, along with numerous other industry-relevant security certifications. This diverse expertise underscores their comprehensive understanding of the cybersecurity landscape. The cybersecurity team attends training programs to update their skills and knowledge.

Company Information