Consensus Cloud Solutions, Inc. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Consensus Cloud Solutions, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 21:22:20 EST.

Filings

10-K filed on 2024-02-27

Consensus Cloud Solutions, Inc. filed an 10-K at 2024-02-27 21:22:20 EST
Accession Number: 0001866633-24-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have implemented a cybersecurity program to assess, identify, and manage risks from cybersecurity threats that may result in material adverse effects on the confidentiality, integrity, and availability of our information systems. Information Security Team and Governance Board of Directors Our Board, in coordination with the Audit Committee, oversees the Company s enterprise risk management process, including the management of risks arising from cybersecurity threats. Our Board has delegated the primary responsibility to oversee cybersecurity matters to the Audit Committee. The Audit Committee regularly reviews the measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. As part of such reviews, the Audit Committee receives presentations at least quarterly from members of our team responsible for overseeing the Company s cybersecurity risk management, including the Chief Information Security Officer (CISO), Chief Technology Officer (CTO), Chief Legal Officer (CLO), and Head of Internal Audit, which address topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company s peers and third parties. Then, the Audit Committee and such members of our management team report to the Board on a quarterly basis, with an in-depth review at least annually, on data protection and cybersecurity matters. Additionally, the Company has protocols for cybersecurity incidents that meet established reporting thresholds for escalation within the Company including, where appropriate, reporting to the Board and Audit Committee, with required updates for ongoing matters until any such incident has been addressed and resolved. Management The Company has implemented a cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. At the management level, our Cybersecurity and Governance Council, composed of the CISO, CTO, CLO, Chief Revenue Officer and EVP of Operations, and Head of Internal Audit has broad oversight of the Company s risk management processes. The Cybersecurity and Governance Council meets regularly to discuss the risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Our CISO invites team members from the product and technology groups to attend each Cybersecurity and Governance Council meeting to report on ongoing or relevant cybersecurity and compliance matters. The Cybersecurity and Governance Council reports any material developments to the Audit Committee on a quarterly basis. Our CISO, who has extensive cybersecurity knowledge and skills gained from over 20 years of work experience at the Company and elsewhere, heads the team responsible for implementing, monitoring and maintaining cybersecurity and data protection practices across our business. The CISO receives reports on cybersecurity threats from industry threat reports, and the team members in Information Security who are responsible for various parts of the business on an ongoing basis and in conjunction with management regularly reviews risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Our CISO and the team work closely with Legal and Internal Audit to oversee compliance with legal, regulatory, and contractual security requirements. -33- Risk Management and Strategy The Company employs systems and processes designed to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use. Information Security Policy and Requirements The Company s Information Security Policy ( Policy ) is based upon the ISO 27001, HITRUST CSF, SOC 2 Type 2, and PCI DSS frameworks and standards and provides specific and detailed direction and support for appropriately maintaining the overall security, confidentiality, integrity, and availability of information within the Company. The Policy covers all processes, equipment, hardware, and software owned or under the control of the Company as well as networks operated by third parties containing Company information or processes. It addresses the Company s procedures and controls for, including but not limited to, asset and data management, user access and authentication, personnel education/trainings, change management, risk management, system configurations, security monitoring and reporting, vulnerability management, and business continuity and disaster recovery. The Policy applies to all employees, consultants, contractors, and other such persons ( Personnel ) with access to the aforementioned processes, equipment, hardware, and software. The Policy requires that Personnel agree to and are trained annually on all components of the Policy as a condition of employment, partnership, or temporary affiliation with the Company. Employee Trainings All Company employees must complete trainings at least annually on various security threats and best practices including, but not limited to, trainings on the following topics: the Company s Information Security Policy; Information Security Incident Response Plan; HIPAA, PCI Compliance; GDPR and CCPA; Security Awareness and Incident Response Training covering Social Engineering Phishing (identification and common red flags), Social Media safety best practices, Internet Security best practices, and Incident response training for end-users; and Phishing. In addition, our developers must complete Secure Code / Secure Application Development Training based on OWASP top 10 standards. Incident Response Our Company has adopted an Information Security Incident Response Plan that applies in the event of a cybersecurity threat or incident (the IRP ) to provide a standardized framework for responding to security incidents. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. In general, our incident response process follows the NIST framework and focuses on four phases: preparation; detection and analysis; containment, eradication and recovery; and post-incident remediation. The IRP requires an Information Security Incident Response Team ( IRT ) which includes, at a minimum, the following representatives: CTO, CISO, CLO, Data Protection Officer, and department heads of Network Operations, Engineering, and Information Security to oversee all details of the incident response. The IRP applies to all Company personnel (including third-party contractors, vendors and partners) that perform functions or services that require access to secure Company information, and to all devices and network services that are owned or managed by the Company. Third Party Certifications and Audits In addition to our internal cybersecurity capabilities, we regularly engage with consultants, and other third parties to assist with assessing, identifying, and managing cybersecurity risks. Specifically, the Company is engaged with third party auditors for HITRUST, PCI, and SOC 2 Type 2 for annual certification. We are also engaged with a third party Data Protection Officer to oversee compliance with the General Data Protection Regulation (GDPR). Material Cybersecurity Risks, Threats & Incidents While we have not experienced any risks from cybersecurity threats, including those resulting from previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition, there can be no guarantee that we will not be the subject of future successful attacks, threats or incidents. We also rely on information technology and third party vendors to support our operations, including our secure processing of personal, confidential, sensitive, proprietary and other types of information. Despite ongoing efforts to continue improvement of our and our vendors ability to protect against cyber incidents, we may not be able to protect all information systems, and such incidents may lead to reputational harm, revenue and client loss, legal actions, statutory -34- penalties, among other consequences. Additional information on cybersecurity risks we face can be found in Part I, Item 1A Risk Factors of this Form 10-K under the heading Risks Related to our Business, which should be read in conjunction with the foregoing information.

Company Information