Bandwidth Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Bandwidth Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:17:07 EST.

Filings

10-K filed on 2024-02-28

Bandwidth Inc. filed an 10-K at 2024-02-28 16:17:07 EST
Accession Number: 0001514416-24-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We use a widely-adopted risk quantification model to identify, measure and prioritize cybersecurity threats and develop related security controls and safeguards. We conduct regular reviews and tests of our information security program and also leverage audits by our internal audit team, tabletop exercises, penetration and vulnerability testing, threat modeling, simulations, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. Our enterprise-wide information security program is designed to identify, protect, detect, respond to and manage reasonably foreseeable cybersecurity risks and threats. Cybersecurity risks related to our business, network, and operations are identified and addressed through a multi-faceted approach including third party assessments, as well as internal information system and network security, governance, risk and compliance reviews. To defend, detect and respond to cybersecurity incidents, we (i) conduct proactive privacy and cybersecurity reviews of systems and applications, (ii) audit applicable data policies, (iii) perform penetration testing internally and with external independent third-parties to test our security controls, (iv) conduct employee training, (v) monitor emerging laws and best practices related to data protection and information security and (vi) 55 Table of Contents implement appropriate changes. There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information. We have implemented incident response and breach management processes, which have four overarching and interconnected workflows: (1) detection and analysis of a security or privacy incident, (2) investigation, mitigation and remediation, (3) reporting and notification, and (4) post-incident analysis. Such incident responses may involve participants from our information security, network, information Technology, development, executive and legal teams. We also conduct exercises to simulate responses to cybersecurity incidents. Our team of cybersecurity professionals collaborates with technical and business stakeholders across our business units to further analyze the risks to the company and form detection, mitigation and remediation strategies. As part of the processes described above, we regularly engage external auditors and consultants to assess our cybersecurity programs and compliance with applicable practices and standards. Our Information Security Management System has been certified to conform to the requirements of ISO/IEC 27001:2013 and AICPA SOC 2 Type II, which includes all five of the Trust Services Criteria. Our Vendor Risk Management ( VRM ) program assesses risks from cybersecurity threats associated with our use of third-party service providers. Under this program, we perform initial risk assessments prior to selecting and engaging third-party service providers as well as ongoing risk assessments in an effort to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners. The VRM program is designed to evaluate the cybersecurity and data privacy risks associated with the use of third-party vendors that will be processing, storing, or handling Bandwidth employee, business or customer data. Based on this evaluation, the VRM program records a risk rating, advises on selection or implementation recommendations, and informs contractual terms with the applicable third-party, such as privacy, security, and data protection commitments. In addition to new vendor onboarding, the VRM program includes annual review of critical service providers, ongoing assessment of expanded use cases, and evaluation of potential third-party incidents. We monitor and evaluate reports of third-party cybersecurity threats to identify and mitigate potential risks to us from third-party incidents in our supply chain. Our Application Security program proactively performs static and dynamic scanning of systems and software code. In addition, we perform vulnerability scans daily on our systems and assets. To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner with continuous monitoring from our Security Operations Center. These tools include, but are not limited to, Endpoint Detection and Response, Security Information and Event Management, Attack Surface Management, Static Application Security Testing, Dynamic Application Security Testing, DDoS Mitigation Services, threat detections including intelligence and brand monitoring, intrusion detection sensors, network firewalls and web application firewalls. Our systems periodically experience directed attacks intended to lead to interruptions and delays in our service and operations as well as loss, misuse or theft of personal information (of third parties, employees, and our members) and other data, confidential information or intellectual property. The DDoS attack we experienced in late 2021 did have a material impact on our results of operations. We do face risks from similar attacks and other cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations or financial condition. Further, an attack on, or penetration of, our systems or a third-party s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputation risks. See Risk Factors - Attacks on or breaches of our networks or systems, or those of third parties upon which we rely, could degrade our ability to conduct our business, compromise the integrity of our services and our communications platform, result in service degradation or outages, significant data 56 Table of Contents losses, the theft of our intellectual property, investigations by government agencies and damage to our reputation, and could expose us to liability to third parties and require us to incur significant additional costs to maintain the security of our networks and data. Cybersecurity Governance Our board of directors oversees our annual enterprise risk assessment, where we assess key risks within the company, including security and technology risks and cybersecurity threats. Our board of directors receives an update on Bandwidth s risk management process at least annually, and receives quarterly cybersecurity updates from our Chief Information Officer ( CIO ). Our CIO and our Vice President, Information Security lead our global information security organization and are responsible for overseeing our information security program. Our Vice President, Information Security has over 25 years of industry experience, including serving in similar roles, building, leading and overseeing cybersecurity programs at other private and public companies. Team members who support our information security program have relevant educational and industry experience, including application security, security operations, forensic and incident response, governance, risk and compliance. At the management level, our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach. Key security, operations, legal and compliance stakeholders meet regularly to develop strategies for preserving the confidentiality, integrity and availability of our and our customers information by identifying, preventing and mitigating cybersecurity threats, and effectively responding to cybersecurity incidents. Our Executive Security Committee, which includes our Chief Operating Officer, our CIO, our Chief Technology Officer, our Chief Development Officer, our General Counsel and other cross-functional participants, meets monthly to evaluate our cybersecurity risks and related response efforts. Education and Awareness Our policies require each of our employees to contribute to our data security efforts. We regularly remind employees of the importance of handling and protecting customer and employee data, including through annual privacy and security training designed to enhance employee awareness of how to detect and respond to cybersecurity threats.

Company Information