Jamf Holding Corp. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Jamf Holding Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:11:11 EST.

Filings

10-K filed on 2024-02-27

Jamf Holding Corp. filed an 10-K at 2024-02-27 16:11:11 EST
Accession Number: 0001628280-24-007212

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Cyberattacks, computer malware, viruses, social engineering (including phishing and ransomware attacks), and general hacking are becoming more prevalent and more sophisticated in our industry. To mitigate the adverse impact of these threats to our business, we take a comprehensive approach to cybersecurity risk management and make proactively securing our systems and the data customers, employees, partners, and other stakeholders entrust to us a top priority. Our Board and our management are actively involved in the oversight of our risk management program, of which cybersecurity represents an important component. As described in more detail below, we have established policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats. See Risk Factors Risks Related to Our Intellectual Property and IT Systems for a more comprehensive description of cybersecurity-related risks. We have devoted significant financial and personnel resources to implement and maintain security measures to mitigate these risks and meet regulatory requirements and customer expectations, and we intend to continue to make significant investments to maintain the security of our data and cybersecurity infrastructure. There can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. While in the last fiscal year, we did not identify a cybersecurity threat or incident that resulted in a material adverse impact to our business, results of operations, or financial condition, there can be no guarantee that we will not experience or have not experienced such an incident. Our policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on frameworks established by the National Institute of Standards and Technology. Cybersecurity risks related to our business, technical operations, privacy, and compliance issues are identified and addressed through a multi-faceted approach including third-party assessments, internal IT audit, IT security, governance, risk, and compliance reviews. To protect, detect, and respond to cybersecurity threats, we conduct the following activities at various intervals during the year, which vary in maturity across our business: Regular network and endpoint monitoring; 24x7 security operations monitoring of our systems, networks and services to detect and act on weaknesses and potential intrusions; Role-based access controls to identify, authenticate and authorize individuals to access systems based on their job responsibilities; 51 Table of Contents Business resiliency planning with disaster recovery and business continuity testing; Testing of new products and services and major changes to existing products and services to identify potential security vulnerabilities before release; Protection, including encryption, for the secure communication of sensitive data; Regular, proactive privacy and cybersecurity reviews of systems and applications, including third-party security practices; Auditing of applicable data policies; Regular internal and external security audits and penetration tests by third-party security vendors, as well as internal offensive team penetration testing; At least annual security awareness training and testing of our employees; and Monitoring emerging laws and regulations related to data protection and information security and implementing appropriate changes. We have implemented incident response processes that focus on preparation for a cybersecurity incident; detection and analysis of a security incident; containment, eradication, and recovery; and post-incident analysis. Our program is designed to evaluate, rank by severity and prioritize response and remediation of security events and data incidents. Incidents are evaluated to determine operational and business impact, as well as privacy considerations. We also conduct tabletop exercises to simulate responses to cybersecurity incidents and evaluate the effectiveness of our incident response systems. Our team of cybersecurity professionals then collaborates with technical and business stakeholders across our business units to further analyze the risk to the Company, and form detection, mitigation, and remediation strategies. We maintain controls and procedures that are designed to promote prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Audit Committee of our Board in a timely manner. As part of our risk management program, we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers when handling and/or processing our employee, business, or customer data. In addition to new vendor onboarding, we perform risk management during third-party cybersecurity compromise incidents to identify and mitigate risks to us from third-party incidents. Our cybersecurity policies, standards, processes, and practices are regularly assessed by consultants and external auditors. These assessments include a variety of activities including information security maturity assessments, audits, and independent reviews of our information security control environment and operating effectiveness. We have also obtained industry certifications and attestations that demonstrate our dedication to protecting our systems and the data entrusted to us. Governance and Oversight Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. Our Audit Committee is responsible for the primary oversight of risks from cybersecurity threats. Members of the Audit Committee receive quarterly updates from management regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any), and status on key information security initiatives. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy officers. Our cybersecurity risk management and strategy processes are overseen by leaders from our enterprise operations, compliance, and legal teams, including our Chief Information Officer and Chief Legal Officer. Such individuals have extensive prior work experience in various roles involving information technology, including security, auditing, compliance, systems, and programming. These individuals are informed about, and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy 52 Table of Contents processes described above, including the operation of our incident response plan, and report to the Audit Committee on any appropriate items.

Company Information