Rackspace Technology, Inc. 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

Rackspace Technology, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 16:45:27 EDT.

Filings

10-K filed on 2024-03-15

Rackspace Technology, Inc. filed an 10-K at 2024-03-15 16:45:27 EDT
Accession Number: 0001810019-24-000042

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C CYBERSECURITY We are materially dependent upon our networks, information technology infrastructure and related technology systems to provide services to our customers, manage our internal operations and support our strategic objectives. Cyber-attacks have become prevalent in our industry, and the techniques used to sabotage or obtain unauthorized access to systems are constantly expanding and evolving. Malicious actors are increasingly sophisticated in their methods, tactics, techniques and procedures, seeking to steal money, gain unauthorized access to, destroy or manipulate data, and disrupt operations. As of the date of this report, we have not identified any cybersecurity threats or cybersecurity incidents that have materially a ffected or are reasonably anticipated to have a material adverse effect on our business. However, we have experienced and expect to continue to experience cybersecurity threats and cybersecurity incidents. As an example, in December 2022, we previously disclosed a ransomware incident that caused service disruptions for our Hosted Exchange customers. We are committed to maintaining robust governance and oversight of cybersecurity risks and implementing recognized industry best practices to help prevent, detect, mitigate and respond to these risks however, we cannot provide assurance that cybersecurity risks will not materially affect our business in the future, including our business strategy, results of operations, or financial condition or that our controls, processes and procedures will be fully complied with or that our program will be fully effective in protecting the confidentiality, integrity and availability of our information systems. Cybersecurity threats, whether or not successful, could result in our incurring significant costs related to rebuilding our internal systems, writing down inventory value, implementing additional threat protection measures, providing modifications or replacements to our products and services, defending against litigation, responding to regulatory inquiries or actions, paying damages, providing customers with incentives to maintain a business relationship with us, or taking other remedial steps with respect to third parties, as well as incurring significant reputational harm. In addition, these threats are constantly evolving, thereby increasing the difficulty of successfully defending against them or implementing adequate preventative measures. We have seen an increase in cyberattack volume, frequency and sophistication. See " Risk Factors - Security breaches, cyber-attacks and other interruptions to our or our third-party service providers infrastructure have disrupted and may continue to disrupt our internal operations and we may be exposed to claims and liability, lose customers, suffer harm to our reputation, lose business-critical compliance certifications and incur additional costs. " for more information on our cybersecurity risks. Risk Management and Strategy Cybersecurity risk management is a component of the company s broader enterprise risk management program and we have established cybersecurity policies and procedures to protect against and mitigate harm from cybersecurity incidents. We respond to cybersecurity incidents in accordance with our cybersecurity policies and procedures and applicable law. Rackspace maintains a cross-functional approach to cybersecurity risk, which is designed to help prevent, identify, assess, manage, mitigate, and respond to cybersecurity threats. Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies, and other processes to assess, identify, manage and address material cybersecurity risks. These include, among other things: annual and ongoing security awareness training for employees mechanisms to detect and monitor unusual network activity and containment and incident response tools. We monitor issues that are internally discovered or externally reported that may affect our operations, systems, network, data, products and/or services, and have processes to assess those issues for potential cybersecurity impact or risk. We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience. Our cybersecurity policies and procedures include incident response plans which guide our employees, senior management, the Audit Committee and the Board on our response to cybersecurity incidents, including escalation processes, as appropriate. - 45 - Table of Contents Our team engages with external cybersecurity advisors and experts, including outside counsel and outside cybersecurity firms, assessors, auditors and consultants as necessary or appropriate. We also maintain numerous industry-related compliance certifications for various aspects of our business, such as International Organization for Standardization (“ISO”) 27001, Service Organization Controls (“SOC 1, 2, 3”) and Payment Card Industry (“PCI”), Federal Information Security Management Act (“FISMA”), Federal Risk and Authorization Management Program (“FedRAMP”) and Health Information Trust Alliance ( HITRUST ) in the U.S., Information Security Registered Assessors Program (“IRAP”) in Australia and Public Services Network (“PSN”) in the U.K. Our cybersecurity policies and procedures are designed to vet key third-party providers and provide for oversight and cooperation regarding cybersecurity incidents. In addition, our cybersecurity policies and procedures require our third-party providers to meet appropriate security requirements and we investigate security incidents that have impacted our third-party providers, as appropriate however, our ability to monitor our third-party service providers data security is limited. Governance Board Oversight The Audit Committee of our Board of Directors (the Board ) oversees our cybersecurity risk. The Audit Committee receives regular cybersecurity specific updates from management (including our Chief Security Officer ( CSO ) and/or other key personnel), typically on a quarterly basis, about the prevention, detection, mitigation, and remediation of cybersecurity threats and cybersecurity incidents, as well as the evolving cybersecurity landscape, recent program enhancements and other relevant topics. The Audit Committee reports to our Board and a number of our Audit Committee and Board members have experience in assessing and managing cybersecurity risks. In addition to this regular reporting, significant cybersecurity risks or threats may also be escalated to the Audit Committee and/or the Board on an as-needed basis. Management s Role Our CSO leads our overall cybersecurity function and supervises our cybersecurity team s efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents. She provides regular updates directly to the Audit Committee, typically on a quarterly basis. She has over 20 years of experience in information security leadership positions, including with large technology and healthcare companies as well as several large financial institutions. She holds a BS from Arizona State University and has been with us since 2019. Our CSO reports to our President Artificial Intelligence, Technology and Sustainability, who has been a CIO or CTO of two other large publicly traded companies. He provides overall leadership and guidance for the company s technology department, including the cybersecurity team. He holds an MBA in international business from The Ohio State University, an MCA in computer science from the University of Mumbai, a BS in physics from the University of Madras and has been with us since 2021. Key security, risk, and compliance personnel across a cross-functional group of internal stakeholders, including senior management, meet regularly to develop and continually evaluate our cybersecurity policies and procedures, including discussions of the following: cybersecurity strategies for preservation of the confidentiality, integrity and availability of company and customer information identification, prevention and mitigation of cybersecurity threats and incidents and effective response to cybersecurity incidents (including escalation procedures of certain cybersecurity incidents so that decisions regarding public disclosure and other required reporting can be made by the appropriate personnel in a timely manner). - 46 - Table of Contents

Company Information