Thoughtworks Holding, Inc. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Thoughtworks Holding, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 07:23:24 EST.

Filings

10-K filed on 2024-02-27

Thoughtworks Holding, Inc. filed an 10-K at 2024-02-27 07:23:24 EST
Accession Number: 0001866550-24-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We recognize that risk management is an integral part of achieving our organizational goals, enhancing stockholder value and increasing the likelihood of long-term corporate success. Our processes for assessing, identifying and managing material risks from cybersecurity threats have been integrated into our overall Enterprise Risk Management (“ERM”) program. We maintain a strong cybersecurity program to protect not only our business, but also our clients, vendors and employees. We have a dedicated Information Security function ( Infosec ) that oversees the company s cyber risk management and strategy. As a result of our global business, we must comply with domestic and international laws and regulations. Our privacy and cybersecurity policies encompass incident response procedures, information security and vendor management. In order to help develop these policies and procedures, we monitor the privacy and cybersecurity laws, regulations and guidance applicable to us in the regions where we do business. In order to comply with the variety of domestic and international legal requirements, Infosec aligns the company s program with common industry frameworks (such as the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), Cyber Essentials +, and the Trusted Information Security Assessment Exchange (TISAX)). To assess and manage risk, we have a formal risk assessment methodology. Risk assessments of our key risk categories are conducted on a continuous basis. We perform regular internal audits and we use a third party vendor if we need an external audit. Infosec reviews these assessments and takes action as required to meet compliance requirements. The assessments, along with any mitigation efforts or remediation, are incorporated into our broader risk management process. Between the risk owner, the Infosec team and, in the case of the most severe risks, the Technology Risk Steering Subcommittee (described below), mitigations are decided, and remediation assigned to appropriate teams to implement which is, as needed, overseen by the ERM Steering Committee (described below). On an on-going basis, our information technology systems are monitored for anomalies, vulnerabilities and misconfigurations. Furthermore, all employees are required to take an annual security awareness training, with additional role-specific training for employees involved in security and risk management. With respect to third party service providers, we obligate our vendors to adhere to privacy and cybersecurity measures, and we perform vendor assessments, including their ability to protect data from unauthorized access. In order to drive continuous improvement, we have implemented an internal security and data protection maturity assessment for our client delivery teams. In addition, we commission an independent external assessment of our cybersecurity maturity annually. The results of these assessments are shared with the Board, key senior leadership, and the Infosec leadership team to develop and inform our strategy for the coming year. 32 Table of Contents As described in Item 1A Risk Factors," our operations rely on the secure processing, storage and transmission of confidential and other information in our computer systems and networks. Computer viruses, hackers, employee or vendor misconduct, and other external hazards could expose our information systems and those of our vendors to security breaches, cybersecurity incidents or other disruptions, any of which could materially and adversely affect our business. While we have experienced cybersecurity events, to date, we are not aware that we have experienced a material cybersecurity incident. The sophistication of cybersecurity threats, including through the use of artificial intelligence, continues to increase, and the controls and preventative actions we take to reduce the risk of cybersecurity incidents and protect our systems, including the regular testing of our cybersecurity incident response plan, may be insufficient. In addition, new technology that could result in greater operational efficiency may further expose our computer systems to the risk of cybersecurity incidents. Governance Thoughtworks has a multilayer approach to governance of its cybersecurity program. Our Board of Directors encourages management to promote a culture that incorporates risk management into our corporate strategy and day-to-day business operations. Management discusses strategic, operational, financial and legal risks at regular management meetings and raises strategic issues and points of concern with the Board of Directors, or its standing subcommittees, through regularly scheduled or, if necessary, special meetings, as needed. Our Audit Committee, comprised of independent directors from our Board, oversees the Board s responsibilities relating to the operational risk affairs of the Company, including information technology risks, business continuity and data security. Our Audit Committee is informed of such risks through an annual board meeting. Nitin Raina has been our Chief Information Security Officer (“CISO”) since 2022. Prior to that, Mr. Raina was Vice President of Cyber and Information Security between 2020 and 2022. From 2015 to 2022, he was Global Director of Information Security. Mr. Raina has over 25 years of work experience in information technology and cybersecurity. Mr. Raina earned a Bachelor of Engineering, Electronic and Telecommunications from the COEP Technology University in Pune, India and a Post Graduate Diploma in Information Technology from the Symbiosis Centre for Distance Learning. Mr. Raina also holds the Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) industry certifications and Board Qualified Technology Executive (QTE). We also have management level committees, along with Infosec, who support our processes to assess and manage cybersecurity risk as follows: The ERM Steering Committee, composed of members from senior leadership, including our CISO, regularly assesses and prioritizes enterprise risks and oversees appropriate mitigation plans. The Technology Risk Steering Subcommittee, composed of members of senior leadership, which includes our Chief Talent and Operating Officer, Chief Information Officer, General Counsel and Chief Compliance Officer, Chief Technology Officer, and Chief Information Security Officer, discusses technology risks, cyber risks, data protection risks and opportunities to enable safe, effective, and efficient execution of business objectives. The CISO, in coordination with management level committees, along with Infosec, works collaboratively across the Company to implement a program designed to protect the Company s information systems from cybersecurity threats and to promptly respond to any material cybersecurity incidents in accordance with the Company s incident response and recovery plans. To facilitate the success of the Company s cybersecurity program, cross-functional teams throughout the Company address cybersecurity threats and respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO and senior management are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time. At least once a year, the Board of Directors receives an update on the risk management process and enterprise risks, including those related to cybersecurity and data privacy. If there are any significant or critical cybersecurity threats or incidents, management will provide special reports to either the Audit Committee or the Board of Directors, depending on the severity of the threat or incident. Please see our 2023 Proxy Statement filed April 14, 2023 for more information regarding our ERM program. 33 Table of Contents

Company Information