Rimini Street, Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Rimini Street, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 07:00:53 EST.

Filings

10-K filed on 2024-02-28

Rimini Street, Inc. filed an 10-K at 2024-02-28 07:00:53 EST
Accession Number: 0001635282-24-000030

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As a company that provides managed support services and security solutions for client applications, databases and technology infrastructure, we are committed to protecting the confidentiality, integrity and availability of our and our clients information assets. We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws. As described further below, we maintain a formal and comprehensive information security management framework based on the ISO 27001:2013 Information Security Management System standard and have implemented policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats. Our Board, including the Audit Committee of our Board, and our management are actively involved in the oversight of our risk management program, of which cybersecurity represents an important component. Risk Management and Strategy Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance obligations are identified and addressed through a multi-faceted approach, which involves independent third-party assessments and testing, internal audit, IT security, governance, risk and compliance reviews. To defend, detect and respond to cybersecurity incidents, we, among other things, invest in and deploy industry leading cybersecurity tools and platforms; conduct proactive cybersecurity and privacy reviews of software, systems, applications and third party vendors; develop applicable policies and processes; perform independent penetration testing to evaluate and test security controls; conduct employee training and testing; monitor emerging laws and regulations related to data protection and information security though a dedicated team of in-house attorneys with experience in privacy and security matters; and monitor and respond to emerging threats, implementing appropriate mitigating controls as necessary. We have established policies and procedures, including our Incident Response Plan ( IRP ), for assessing, identifying, managing, and responding to cybersecurity and privacy threats and incidents, including protocols for assessing potential material impact from cybersecurity threats and incidents, escalating to executive leadership and the Board, engaging external stakeholders, and reporting incidents based on applicable legal requirements. Our IRP provides guidance in the event of a cybersecurity incident, including processes with roles and responsibilities assigned to members of our Incident Response Team ( IRT ), to triage, assess severity, escalate, contain, investigate, and remediate incidents, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. Our IRT is led by our Vice President, Global Security, with representatives from our IT, Security, Corporate Legal, Communications and Public Relations, Human Resources, Ethics & Compliance and Finance departments/functions. We conduct post-incident reviews of our response to cybersecurity threats and incidents, in addition to evaluating the effectiveness of supporting recovery protocols. In addition, employees and stakeholders can report cybersecurity threats, cybersecurity and data privacy incidents, or other concerns through external and internal reporting channels. Internally, we have a security awareness program which includes training that reinforces our information technology and security policies, standards and practices, and we require that our employees comply and formally attest to these policies. The security awareness program offers training on how to identify potential cybersecurity risks and protect our resources and information. This training is mandatory for all employees annually, and it is supplemented by testing initiatives, including periodic phishing tests. Regarding data privacy, in 2023, our Ethics & Compliance Department implemented an annual privacy awareness initiative known as Data Privacy Week, celebrating an event known as International Data Privacy Day, which is acknowledged in over 50 countries as promoting data privacy best practices and raising awareness about the importance of data protection. Data Privacy Week messaging includes highlighting the various departments and employees who support our data privacy and security compliance efforts, as well as trivia challenges designed to engage employees on this topic. Finally, our -40- compliance program requires all employees to take periodic awareness training on data privacy. This training includes information about confidentiality and security, as well as responding to unauthorized access to or use of information. As noted above, we have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate. Also as noted above, to ensure the confidentiality and integrity of data and to protect against security threats or data breaches, we regularly engage external auditors and consultants to assess our internal cybersecurity programs and compliance with applicable practices and maintain and certify to a formal and comprehensive security management standard: ISO 27001:2013 Information Security Management System. Cyberattacks continue to increase in frequency and magnitude generally, and cyber criminals are becoming more sophisticated. Although we have devoted financial and personnel resources to implement and maintain security measures to meet regulatory requirements and client expectations and will continue to make significant investments to maintain the security of our and our client s data and our cybersecurity infrastructure, there can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective against new and/or emerging threats, vulnerabilities and techniques designed to circumvent such measures. To date, our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, please refer to Risk Factors (Part I, Item 1A of this Report). Cybersecurity Governance The Audit Committee of our Board includes members with significant experience and/or expertise in technology or cybersecurity, as well as a member with cybersecurity training certifications, and is responsible for the primary oversight of enterprise risk assessment and management pertaining to the financial, accounting, liquidity, market, tax, cybersecurity and other information technology risks facing our company. At its regular meetings, the Audit Committee, which meets no less than four times per year, receives regular reports from our GVP & Chief Counsel, Chief Ethics and Compliance Officer on matters relating to data privacy and compliance, as well as from our Vice President of Risk Management on enterprise risk management, including the activities of our internal audit department surrounding audits and risk assessments of our information security management system, coverage by our insurance carriers for cybersecurity incidents, and our ISO 9001 and 27001 certifications (described above under the heading Compliance and Certifications in Part I, Item 1 ( Business ) of this Report. Beginning in the first quarter of 2024, the full Board, at least annually, and the Audit Committee of the Board, at least quarterly, will receive quarterly reports on our cybersecurity program and developments from our Vice President of Global Security. These reports will include analyses of recent cybersecurity threats and incidents at the Company and across the industry, as well as a review of our own security controls, assessments and program maturity. It is anticipated that Audit Committee oversight will include review of periodic tabletop exercises to test cybersecurity infrastructure and incident response measures. Our Global IT and Global Security departments are led by our Executive Vice President and Chief Information Officer, Gertrude Van Horn, who joined us in January 2024. Ms. Van Horn is a globally recognized, award-winning executive with over 40 years of experience in global IT leadership, information security, crisis management, strategic planning and decision-making. Her expertise spans a diverse group of industries including financial services, chemicals, global manufacturing and retail. Prior to joining us, Ms. Van Horn served in C-level and executive IT leadership roles for NCH Corporation, IntegraColor, Haggar Clothing Company, JOANN Stores, Office Depot, Victoria s Secret, American Express, and J.P. Morgan. Our Vice President of Global Security, Darren Remblence, reports to Ms. Van Horn and is responsible for the development of strategic direction, execution, and day-to-day management of global security. Mr. Remblence has more than 20 years of international experience and expertise in information security, cybersecurity, physical security, IT operations, investigations, business continuity and disaster recovery. Prior to joining us, Mr. Remblence worked at PayPal Inc., eBay Inc., The London Clearing House Ltd, Centrica Plc. and DHL International (UK) Ltd. He also served 14 years in the British Royal -41- Air Force, where he specialized in cybersecurity and counterintelligence. He received his Master of Science in IT security from the University of Westminster, London and holds CISM (Certified Information Security Manager) and CISSP (Certified Information Systems Security Professional) certifications. Generally, the implementation, management and oversight of our cyber risk strategy involves participation and input from Company personnel across a range of functional areas, including our IT, Security, Privacy, Risk Management and Legal departments/functions. Our strategy is designed to incorporate awareness of cyber risk into our day-to-day operations and functions, including the maintenance and establishment of client relationships, operating expectations, contract negotiations, the obtainment of insurance coverage and evaluations of third-party service providers.

Company Information