Crexendo, Inc. 10-K Cybersecurity GRC - 2024-03-05

Page last updated on April 11, 2024

Crexendo, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-05 17:16:02 EST.

Filings

10-K filed on 2024-03-05

Crexendo, Inc. filed an 10-K at 2024-03-05 17:16:02 EST
Accession Number: 0001654954-24-002655

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY As a technology vendor within hosted services segment, Crexendo understands the importance of cybersecurity and data privacy. To proactively protect against related threats, and to be fully prepared for timely and effective response in case of an incident, a comprehensive program has been put in place leveraging the following: Cybersecurity Compliance Framework Crexendo has adopted System & Organizational Controls (SOC2) for the service organization responsible for Crexendo Hosted product and related corporate assets/entities. Implemented controls cover trust services criteria of security, availability, processing integrity, confidentiality, and privacy. Independent service auditors have been engaged to measure the efficacy of implemented controls. Threat/Vulnerability Assessment & Remediation Third party security advisors have been engaged to periodically execute internal and external vulnerability scans for deployed production and organizational assets to flag any known vulnerabilities within deployed third-party components including but not limited to operating systems, web server software, hypervisor software etc. Similarly, penetration tests are conducted periodically to expose any vulnerabilities within the deployment environment and/or deployed software; including but not limited to open firewall ports beyond deployment design, use of ciphers deemed insecure etc. 25 Table of Contents Crexendo Information Security Policy defines time periods within which a particular severity (critical v/s major v/s minor) vulnerability needs to be addressed. Reported vulnerabilities, along with applicable resolution timeline and efforts are recorded within the internal problem tracking system and are tracked as part of quarterly security and privacy review sessions. Continuous Monitoring As part of the proactive security measures, Crexendo deploys EDR/XDR tools across employee workstations, and mines significant events coming from critical infrastructure assets within a SIEM software. Any threat or prevention notifications are sent to IT & Security team for further analysis and additional actions are performed as deemed necessary to maintain the integrity and security of the corporate and production environments . Incident Response Plan To be prepared for any natural or cybersecurity incident involving sensitive data breach across employees, customers, contractors, or vendors; and/or affecting service availability for the organization or customers, a comprehensive incident response plan along with disaster recovery & business continuity plan has been documented. The plan contains details on aspects including but not limited to incident identification, operational playbook and responsibility matrix, communication and notification procedures, and reporting to legal/governing bodies based on severity of the incident. C level executives and the board are notified if warranted by the severity of the incident. The plans are reviewed annually for enhancements and inter-department alignment. Tabletop exercises are conducted to measure the effectiveness of the plans and any findings are factored in towards further revisions of the plans. Security Awareness Employee awareness towards potential threats and how to steer clear of any phishing or social engineering attacks, is a critical element that governs efficacy of any cybersecurity measures. To that end, Crexendo subscribes to periodic security awareness training, and mock tests for all employees and contractors. Employees and contractors are evaluated for timely completion of the trainings, on corresponding quiz scores, and based on how they fare tackling mock phishing emails. Worse than minimum required scores trigger actions to guide the person towards better security awareness and thereby score. Disciplinary actions are in store for employees/contractors who still fail to secure the minimum required score. Risk Management Crexendo has instituted a security team that is responsible for security/compliance strategy and corporate governance policies. The team makes sure that implemented SOC2 controls are supported by complementing processes and procedures. Cybersecurity risk is managed thru effective inter-department cooperation towards assessing and remediating risks ranging across corporate IT, software development, software quality process, production network architecture and deployment, and data security/privacy. Crexendo relies on a number of third-party vendors and contractors in order to provide products and services to its customers as well as to augment the resource pool. On an annual basis, all significant third-party vendors and subservice organizations are assessed for any applicable cybersecurity or service availability risks. Vendors and contractors with access to sensitive data and/or information are expected to meet certain information security requirements. Board & Executive Oversight Executive buy in and support is a must for the success of any cybersecurity program. Crexendo C-suite executives and the Board of Directors have the primary responsibility of overseeing organizational cybersecurity and data privacy/security risk management. Apart from any incidents that require notification to the top management and the board, an end-of-the-year update is presented by Crexendo security team to the executive management and the board. The update provides an overview of organizational security stature, any experienced incidents, in-flight security/compliance projects, and opportunities for improvement. The Board factors in the input towards security and compliance program budget to strike a balance between the expense and corresponding risk. Risks from Cybersecurity Threats Crexendo provides products and services within Software as a Service (SaaS) market segment. Specifically, the company provides hosted Unified Communication as a Service (UCaaS), where the customer base is highly sensitive towards privacy, service quality and service availability. With the growing number of threats from a combination of bad actors, process lapses, human errors, and third-party vulnerabilities, Crexendo is subject to increasing and evolving cybersecurity threats. While, we have a comprehensive cybersecurity and compliance program in place as an effort to counter the threats, and while we have not been subject to any cyberattacks that, individually or in the aggregate, have been material to Crexendo’s operations or financial condition, there can be no guarantee that Crexendo will not experience such an incident in the future. 26 Table of Contents For more information on the risks from cybersecurity threats that we face, refer to Risk Factors Operational Risks Cyber attacks impacting our networks or systems could have an adverse effect on our business in Part I, Item 1A of this Annual Report on Form 10-K.

Company Information