Enfusion, Inc. 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

Enfusion, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 16:16:50 EDT.

Filings

10-K filed on 2024-03-12

Enfusion, Inc. filed an 10-K at 2024-03-12 16:16:50 EDT
Accession Number: 0001558370-24-002987

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As a cloud-based SaaS provider operating within the financial services industry, cybersecurity risk management is a critical part of our overall risk management efforts. We maintain Cyber Security and Technology Risk programs that are comprised of policies and controls designed to mitigate cybersecurity and other technology risks. We continuously 40 Table of Contents work to enhance these Cyber Security and Technology Risk programs, though we acknowledge that, at any given time, we may face known and unknown cybersecurity risks and threats that are not fully mitigated. In order to identify, assess, and manage our cybersecurity risks, we use a risk management framework informed by industry standards and industry-recognized practices, including the National Institute of Standards and Technology and the Secure Controls Framework. We perform periodic technology risk assessments based on these frameworks to identify and assess risks from cybersecurity threats and review the efficacy of our controls. These risk assessments include security assessments, vulnerability assessments, penetration testing, and security audits, and we also engage third-party security experts and consultants to assist with assessments and enhancements of our cybersecurity risk management processes, and provide benchmarks against industry practices. Using the results of these assessments, we have developed risk mitigation strategies that include a variety of technical and operational measures, such as cybersecurity training and compliance programs for all employees with access to our information systems. In addition, we maintain specific policies and practices governing our third-party risks, including our third-party risk management process. Our third-party risk management process uses a number of approaches, including consultation with outside specialists, to assess potential risks associated with third parties security controls. Generally, we also contractually require third parties who have access to our data and systems to, among other things, maintain security controls to protect our confidential information and data, and notify us of cybersecurity incidents that may impact our data. Our Global Head of Security has over 20 years of industry experience and leads a dedicated Cybersecurity, and Governance, Risk and Compliance ( GRC ) team that is responsible for managing the cybersecurity, technology risk management, and cyber continual improvement programs, as well as other activities designed to identify, assess, manage and treat risks, and respond to threats or incidents. The Cybersecurity and GRC teams include personnel with decades of experience in managing risk and selecting, deploying, and operating cybersecurity technologies, initiatives, and processes around the world. The team gathers and relies upon threat intelligence obtained from external consultants, government sources, and technology providers. Assessing, identifying, and managing our cybersecurity and technology risks is also part of our enterprise risk management ( ERM ) framework. Our ERM framework and associated process is designed to evaluate the Company s most significant risks, including, as applicable, cybersecurity and technology risks. The ERM framework and associated process is directly overseen by a management-led Risk Management Committee (the RMC ) that meets on a regular basis and is comprised of our CEO, COO, General Counsel, and Global Head of Security. The RMC, as supported by individual risk managers for each line of business, also maintains reports regarding the assessment, identification, and management of our enterprise risks for the Board to periodically review. The Global Head of Security also presents to the Board on cybersecurity risks on an approximately annual basis and the Board, through these periodic reports it receives from the RMC and the presentations by the Global Head of Security, maintains involvement with and oversight over the Company s cybersecurity risks. As part of our Cyber Security and Technology Risk programs, the Company has also established an incident response process to track and log cybersecurity incidents. This process provides for escalating notifications to our CEO and Board depending on the nature and severity of an incident. In the year ended December 31, 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. For more information on our cybersecurity related risks, see Part I Item 1A. Risk Factors of this Annual Report on Form 10-K.

Company Information