Cambium Networks Corp 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

Cambium Networks Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 16:05:41 EDT.

Filings

10-K filed on 2024-03-15

Cambium Networks Corp filed an 10-K at 2024-03-15 16:05:41 EDT
Accession Number: 0000950170-24-032168

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Information about cybersecurity risks and our risk management processes is collected, analyzed and considered as part of our overall enterprise risk management program. Our cybersecurity program has been built around the National Institute of Standards and Technology (NIST) framework with flexibility to support our product development, deployment, operations, and monitoring. The NIST framework organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover, with an emphasis on prevention, detection and mitigation. We have key Company policies that directly or indirectly relate to cybersecurity matters, including policies relating to antivirus protection, remote access, multifactor authentication, restricted access based upon business need and confidentiality of information, as well as procedures designed to reduce phishing, increase employee awareness of phishing attempts and other activities. The key elements of our efforts to identify, prevent, mitigate, and remediate cybersecurity risks and incidents through our cybersecurity risk management program include: We collect and analyze information about cybersecurity risks as part of our risk management program and monitor and discuss public alerts, threat levels, trends and remediation. All employees receive periodic cybersecurity training and are exposed to phishing simulations designed to educate concerning the recognition of cybersecurity threats. We use various security tools, including internal reporting, monitoring, and bug bounty programs, to identify vulnerabilities in our products. Regular system updates and patching are done to protect our hardware and software against security vulnerabilities. 41 We conduct simulations, drills, and penetration testing to test our defenses and monitor threat levels, including the periodic performance of simulations and tabletop exercises to test our policies, incorporating external resources and advisors as needed. We have controls and procedures in place for prompt escalation of cybersecurity incidents and regularly evaluate and update contingency planning, including plans in the event that a portion of our information resources were to be unavailable due to a cybersecurity incident. We partner with third-party security consultants to review our incident response process and ensure our programs align with industry standards. We assess the cybersecurity preparedness of key vendors, review any reports on system and organizations controls, before onboarding and monitor their vulnerabilities, including any publicly reported vulnerabilities. This process includes risk assessments, security questionnaires, review of vendor security programs, review of available security assessments, reports, and audits. Depending on the nature of the services provided, the sensitivity of the information systems and data at issue, and the type of provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. We have a cybersecurity risk insurance policy. Risk Assessment While we have not experienced any prior cybersecurity incidents that have materially affected us, including our operations, business strategy, results of operations, or financial condition, we experience cyber-attacks and other attempts to gain unauthorized access to our systems on a regular basis, and we anticipate continuing to be subject to such attempts. Despite our implementation of security measures, (i) our products and services, and (ii) the servers, data centers, and cloud-based solutions on which our and third-party data is stored, are vulnerable to cyber-attacks, data breaches, malware, and disruptions from unauthorized access, tampering or other theft or misuse, including by employees, malicious actors or inadvertent error. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Risk Factors - Cyber-attacks, data breaches or malware may disrupt our operations, harm our operating results and financial condition, and damage our reputation or otherwise materially harm our business and cyber-attacks or data breaches on our customers networks, or in cloud-based services provided by or enabled by us, could result in claims of liability against us, damage our reputation or otherwise materially harm our business and -Vulnerabilities and critical security defects, prioritization decisions regarding remedying vulnerabilities or security defects, failure of third-party providers to remedy vulnerabilities or security defects, or customers not deploying security releases or deciding not to upgrade products, services or solutions could result in claims of liability against us, damage our reputation, or otherwise materially harm our business. Cybersecurity Governance Cybersecurity risk is part of management’s risk oversight, although periodic reports are made to the board of directors of management’s implementation and monitoring of our cybersecurity risks programs. Our board of directors addresses our cybersecurity risk management as part of its general oversight function, and the board receives periodic reports from management on the results of our tabletop exercises designed to test our response to cybersecurity and other business interruption situations. Management will update the board, as necessary, regarding any significant cybersecurity incidents should they occur, following the controls and procedures laid out in our business continuity, disaster recovery, data breach and crisis management plans that are designed to ensure prompt escalation of certain cybersecurity incidents, so that decisions regarding public disclosure and reporting of such incidents can be made by management and the board in a timely manner. Our cybersecurity team is led by our Vice President, IT, who reports to our Senior Vice President, Operations. Our Vice President, IT, has an M.S. degree in computer science and 31 years of experience in the information technology industry. Our cybersecurity functions include representatives from information technology, information security, legal, impacted product teams or products and other departments as needed. This team reviews enterprise risk management-level and product-based cybersecurity risks. This team is responsible for assessing and managing our material risks from cybersecurity threats and our overall cybersecurity risk management program, and supervises both our internal cybersecurity personnel and any retained external cybersecurity consultants. 42

Company Information