ExlService Holdings, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

ExlService Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 14:37:54 EST.

Filings

10-K filed on 2024-02-29

ExlService Holdings, Inc. filed an 10-K at 2024-02-29 14:37:54 EST
Accession Number: 0001297989-24-000003

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity We maintain a comprehensive information and cybersecurity and data privacy program to safeguard the security, confidentiality, integrity, availability and protection of the Company s and our clients information. We aim to continually strengthen our cybersecurity posture and protocols. We have invested in people, processes and technology intended to protect information throughout the business life cycle and to manage cybersecurity risk, and we intend to continue to do so as cybersecurity risks and methods for preventing against them evolve. We provide no assurance that the policies and procedures outlined below will be properly followed in every instance or that they will be effective in safeguarding against every possible cybersecurity threat. We describe how cybersecurity threats are likely to materially affect our business, results of operations, and financial conditions in Part I, Item 1A, Risk Factors. We believe that these risks have not materially affected our business to date, but we can provide no assurance that they will not affect us in the future. Although we maintain cybersecurity insurance to manage potential liabilities resulting from specific cybersecurity incidents, there is no guarantee that our insurance coverage limits will protect against any future claims or that such insurance proceeds will be paid to us in a timely manne r . See Risks Related to Our Business-Unauthorized disclosure of sensitive or confidential client and employee data, whether through breach of our computer systems or otherwise, could cause us significant reputational damage, expose us to protracted and costly litigation, and cause us to lose clients. Cybersecurity Strategy and Risk Management Our cybersecurity strategy is founded on policies, processes and practices that are integrated into our overall risk management system. These policies, processes and practices are aimed at building a cyber-resilient organization by implementing and operationalizing cybersecurity capabilities to identify, protect, detect, respond and recover from cybersecurity threats and incidents and are guided by relevant regulatory and governance bodies, including but not limited to the Cyber Security Framework of the National Institute of Standards and Technology. We have undertaken measures designed to comply with applicable privacy laws and regulations that are applicable to our services. These security capabilities are designed to mitigate material vulnerabilities and the impact of cyber incidents. We regularly conduct cybersecurity and other risk assessments and compliance audits both internally and through third party auditors that we independently engage or that we engage in connection with our certification to certain international standards, such as the ISO 27001:2013 standard for information security management systems, the ISO 22301:2012 for business continuity management systems, the ISO 9001:2008 standard for quality management systems, among others. We also 24 Table of Contents regularly assess and deploy technical safeguards and conduct vulnerability assessment and penetration testing of our technology environment independently and through third parties. We use the outcome of these assessments to align our cybersecurity program and technical safeguards with the evolving cybersecurity threat landscape and adjust and augment our security controls environment as required. We have implemented a third-party risk management program to proactively identify and mitigate any potential risks that emerge from our supplier and partner ecosystem. There are processes in place to restrict and provide need-based access to sensitive or confidential data for third parties. We conduct periodic evaluations of key suppliers and partners for ongoing monitoring of the risk environment. Incident Response and Recovery Planning While processes are in place to minimize the occurrence of a successful cyberattack, we have institutionalized detailed incident response procedures to address a cyber threat that may occur despite these safeguards. The response procedures are designed to identify, analyze, isolate and contain, remediate, and, if applicable, report any such material cyber incidents that occur. We have developed a materiality assessment approach for cyber and a cyber crisis communication methodology for structured and timely notification to internal and external stakeholders. Further, we have empaneled specialized cyber partners to provide advanced investigation capabilities and response management support in case of a real cyber incident. Training and Awareness We maintain a comprehensive information and cybersecurity awareness and training program for all employees and contracted resources. This includes a mandatory annual information security training, periodic simulations such as red teaming and tabletops, regular communications on relevant topics and policies related to data privacy, phishing, email security best practices, among others. We provide specialized security training for certain roles with access to sensitive data, including human resources or employees who regularly handle personal or sensitive information. Governance (Management Oversight and Engagement with the Board of Directors) Cybersecurity is governed by our cross-functional apex body, the Management Security, Continuity and Privacy Forum ( MSCPF ), comprised of management representatives across all of our business units and enterprise functions such as Legal, Human Resource, Growth and Strategy, Compliance, Technology and Information Security. The MSCPF periodically reviews the strategy, policy, program effectiveness, standards development, cybersecurity risks, incident, and response preparedness. The Audit Committee of our board of directors provides primary oversight and strategic guidance on Cybersecurity. The Audit Committee receives reports from management, typically on a quarterly basis, regarding our security risk management, including cybersecurity-related risks, vulnerabilities, policies, practices, and strategic initiatives. Annually, our board of directors receives a report from management on our cybersecurity posture, our readiness and our capability to reduce the risk of, detect and respond to a cyberattack. In 2022 and 2023, our senior management and board of directors completed cyber tabletop exercises to further enhance our preparedness in the event of an actual incident.

Company Information