LIVEPERSON INC 10-K Cybersecurity GRC - 2024-03-04

Page last updated on April 11, 2024

LIVEPERSON INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-04 17:22:46 EST.

Filings

10-K filed on 2024-03-04

LIVEPERSON INC filed an 10-K at 2024-03-04 17:22:46 EST
Accession Number: 0001102993-24-000037

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company has implemented and maintains a cybersecurity program governed by an information security team responsible for managing and directing strategy, policy, standards, architecture, controls, and processes. The cybersecurity program is underpinned by a cybersecurity risk management framework designed to identify and prioritize cybersecurity risks to the Company and is overseen by our Board of Directors. 39 Risk management and strategy Our cybersecurity program is designed to protect our information systems from cyber threats and to ensure the confidentiality, integrity and availability of systems and information used, owned or managed by the Company related to our employees, our customers and their users. This involves an ongoing effort to protect against, detect and respond to cybersecurity threats and vulnerabilities. LivePerson maintains a security risk management program that is tasked with determining the cybersecurity threats that pose the greatest risk to the Company. This program is managed by the Security Risk Committee, chaired by the Chief Security Officer ( CSO ), as well as representative members from security, operations, and internal audit leadership. The committee meets at least twice annually. A resultant risk assessment produced by the committee is leveraged to inform senior leadership and our Board of Directors on top areas of risk, as well as to shape the security and technology team s roadmap. Our cybersecurity program includes a number of components, such as: regular cybersecurity risk assessments, audits, and penetration tests; policies generally aligned with industry standards such as Information Security Standard ( ISO ) / International Electrotechnical Commission 27001 and the PCI Data Security Standard; measures to block and prevent certain malicious activity, such as endpoint detection and response controls; measures to block and prevent certain network attacks, such as firewalls and Distributed Denial of Service mitigation tools; measures to secure remote access, such as virtual private networks and multi-factor authentication; cybersecurity training programs for employees, contractors and agents, including regular phishing simulations; a vulnerability disclosure program to compensate researchers for responsible disclosure of vulnerabilities in our platform; the maintenance of a Security Incident Response Plan with periodic tabletop testing; and third-party risk management processes designed to manage risks associated with vendors and suppliers. The goal of the Company s information security program is to manage risks in a prioritized fashion; however, control gaps and/or their related control effectiveness, resource constraints, and execution failure can pose cybersecurity risk to the Company. In the event of a cyber incident, the Company has a process in place whereby the information security team will alert the appropriate levels of management, as well as the legal and finance departments so that the materiality of any such event can be determined. The Company actively engages with key vendors and industry participants, and monitors and analyzes intelligence and law enforcement community security publications as part of its continuing efforts to obtain current threat intelligence, collaborate on security enhancements, and evaluate and improve the effectiveness of its cybersecurity processes. The Company also regularly engages with external parties to perform: periodic cybersecurity assessments, such as maturity assessments against the National Institute of Standards and Technology Cybersecurity Framework; managed detection and response for certain public cloud environments; penetration testing; continuous proactive threat hunting; cyber threat intelligence services including dark web monitoring; and audits against industry standards including Systems and Organization Controls 2 ( SOC 2 ), ISO 27001, PCI, and the HITRUST CST. In the ordinary course of our business, our third-party service providers ( TPSPs ) collect, process and store certain information and other data related to us or our customers and their users. We assess the cybersecurity practices of our TPSPs through a variety of measures, including a due diligence process designed to assess and manage the potential risks of such TPSPs to the Company. This process involves evaluation of security questionnaires, review of available SOC 2 reports, and performance of interviews prior to onboarding TPSPs over certain risk thresholds, with annual re-reviews for our highest risk tier TPSPs. Despite these measures, we are reliant on the security practices of our TPSPs, which may be outside of our direct control. 40 We experience cyber-attacks of varying degrees on a regular basis in the ordinary course of our business. As of the date of this report and for the time period of January 1, 2023, through December 31, 2023, the Company is not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. However, there can be no assurance that we will not be materially affected by such risks in the future. For information on the cybersecurity threats and risks we face and the potential impacts on the business related thereto, see Item 1A. Risk Factors Risks Related to Security Vulnerabilities and Service Reliability . Governance Our information security team is led by our CSO. Mr. Friedman has held the position of CSO at organizations across multiple industries, including financial services, for over 13 years and holds industry security certifications including Certified Information Systems Security Professional ( CISSP ), Certified Information Systems Auditor ( CISA ), Certified Information Security Manager, and Certified in Risk and Information Systems Control. Many members of the information security team also hold CISSP, CISA and other security related certifications. The information security team is made aware of security risks and incidents through a number of channels: performance of risk assessments on at least an annual basis by the Security Risk Committee; providing SOC capabilities for the detection and response of cyber incidents; serving as the point of contact for reporting actual or suspected cyber incidents; managing compliance and certification for in-scope security related compliance frameworks and regulations; managing internal and external penetration tests, vulnerability scans, and the Company s vulnerability disclosure program; and monitoring of cyber threat intelligence and evaluation and analysis of the potential impact of zero day vulnerabilities. Our Board of Directors takes an active role in overseeing the management of cybersecurity risks to the Company. The information security team provides periodic reports to the Cybersecurity and Technology Committee of the Board, as well as to the full Board, the Company s Chief Executive Officer and other members of senior management, as appropriate. These reports include updates on the Company s cyber risks and threats, the status of projects to strengthen its information security systems, assessments of the cybersecurity program and the emerging threat landscape. The cybersecurity program is periodically evaluated by internal and external experts with the results of those reviews reported to senior management and the Board of Directors.

Company Information