E2open Parent Holdings, Inc. 10-K Cybersecurity GRC - 2024-04-29

Page last updated on April 29, 2024

E2open Parent Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-29 16:35:15 EDT.

Filings

10-K filed on 2024-04-29

E2open Parent Holdings, Inc. filed an 10-K at 2024-04-29 16:35:15 EDT
Accession Number: 0000950170-24-049948

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We believe we have appropriate processes for assessing, identifying and managing material risks from cybersecurity threats. Those processes are embodied in our enterprise-wide cybersecurity risk management program (Cyber Risk Program), which includes our cybersecurity governance structure and our cybersecurity strategy and processes. Governance Structure Board of Directors Oversight Our board of directors has delegated oversight of our Cyber Risk Program to the Risk Committee of the board of directors. The presentations to the Risk Committee cover, among other things, our cyber incident experience, ongoing cyber threats, material risks, deployment of cybersecurity controls and risk mitigants, engagement of third parties (e.g., consultants and auditors) and third-party tools, our cyber insurance coverages and our employee-training programs. Management s Assessment and Management of Cybersecurity Threats Members of the executive management team, along with others from senior management and others with varying areas of expertise, are engaged as part of our Cyber Risk Program: Executive Vice President, Product Development & Infrastructure R&D: Direct management of our Cyber Risk Program falls within our Product Development and Infrastructure Research and Development team. The Executive Vice President (EVP) in charge of this team has extensive experience regarding cybersecurity matters and threats affecting business-to-business software and cloud services vendors such as E2open. The EVP is a member of our Cybersecurity Subcommittee of our Disclosure Committee, which is responsible for helping to determine whether a Cybersecurity Incident is material for purposes of publicly reporting cybersecurity incidents. Our EVP chairs our management Cybersecurity Subcommittee. General Counsel: Our General Counsel has experience providing legal advice regarding cybersecurity-related programs as well as engaging with outside advisors and insurance brokers and underwriters on cybersecurity coverage, claims and loss mitigation. Our General Counsel is a member of our Cybersecurity Subcommittee of our Disclosure Committee. Senior Vice President, Information Security and Compliance: Our Senior Vice President (SVP) has direct management of our Cyber Risk Program. He manages the day-to-day operations, oversees our security analysts and engineers and participates in our Cybersecurity Subcommittee meetings. He is trained in cybersecurity strategy, planning, and execution and holds industry recognized security certifications, including Certified Information Systems Security Professional (CISSP) from the International Information System Security Certification Consortium (ISC2) and Certified Information Security Manager (CISM) from the Information Systems Audit and Control Association (ISACA). Cybersecurity Subcommittee: We have created a Cybersecurity Subcommittee of our management Disclosure Committee which includes, in addition to the EVP and General Counsel, the Chief Accounting Officer. The Cybersecurity Subcommittee s purpose is to review cybersecurity risks, discuss emerging threats, prioritize cybersecurity efforts and make recommendations to leadership. Additionally, the Chair of the Subcommittee shall convene a meeting when either: (a) he believes a reported incident or the occurrence of a series of related incidents, requires the analysis and discussion of the Subcommittee or (b) when any member of the Subcommittee believes that such a discussion would be appropriate. Such meeting shall be convened within 48 hours of the incident, or sooner if reasonably practicable, to expedite a materiality determination for public company reporting purposes. Response Team: Pursuant to our Crisis Response Program, our Response Team, which comprises the General Counsel, Chief Financial Officer and an expanded team from our material business lines and administrative departments, as well as outside advisors/experts (cyber forensics, external legal counsel, law enforcement, public relations), is charged with managing the Company through a cybersecurity incident (or other event or series of events) that rise to the level of a Company crisis. The Program includes protocols by which the General Counsel or Chief Financial Officer, on behalf of the Response Team, will report to or engage the Chief Executive Officer and the Chairman of the board of directors if and when an incident becomes a crisis or potential crisis. 37 Other Roles: The Cyber Risk Program includes engagement of other Company management employees and outside service providers to oversee or perform specific roles in connection with cybersecurity risk assessment and management, and incident management. That includes risk and security heads from our material business lines who implement and administer policies specific to those business lines and independent auditors to certify compliance with our internal control over financial reporting, the American Institute of Certified Public Accountants Systems and Organization Controls (SOC 2) security framework. We also conduct reviews for compliance with data protection regulation such as Europe s General Data Protection Regulation (GDPR) and regulation of various U.S. states such as the California Consumer Privacy Act (CCPA). Risk Management and Strategy Overview of Processes for Assessing, Identifying, and Managing Material Cyber Risks The principal objectives of our Cyber Risk Program are to minimize the risks associated with cybersecurity threats to our business operations, financial performance and financial condition, and protect the confidential information, intellectual property and other assets of E2open, and those of our customers, vendors, partners, employees and consumers that can be at risk due to cybersecurity threats to E2open. We have incorporated industry recognized cybersecurity frameworks and standards into our Cyber Risk Program, including frameworks from the National Institute of Standards and Technology (NIST) and security control auditing protocols from the Center for Internet Security (CIS) and the International Organizations for Standardization (ISO). Recognizing that the nature of cybersecurity threats and the particular threat vectors we face continually change, we continue to invest in updating and enhancing our Cyber Risk Program. Under our Cyber Risk Program, our SVP, and the cybersecurity staff, along with our management-led Cybersecurity Subcommittee, with input where appropriate from our third-party advisors, work to identify our cybersecurity threats, assess the risks and deploy appropriate technologies and processes to mitigate the risks. When cybersecurity incidents occur, these resources work to manage through the incident utilizing advanced security tools and playbooks, and in accordance with processes set out in our various policies and practice documents, which include internal communications protocols to keep the executive team and, where appropriate, the Risk Committee and board or directors, informed. Pertinent policy and practice documents include, among others, E2open s Guidelines for Cybersecurity Determination for Item 1.05 of Form 8-K (governing the Company s materiality determination for reporting purposes) and our Crisis Response Plan. As an important cybersecurity risk mitigant, E2open provides mandatory training to its new hires and quarterly training of its employees, including phishing simulation tests and follow-up tests as needed, along with monthly cybersecurity newsletters and other cyber risk-related communications. Integration into Overall Risk Management System or Processes Our risk management systems and processes comprise numerous components, including published policies and procedures, risk detection systems, tools, and protocols (automated and human), internal and external independent auditing, management committee review, defined lines of communications, employee training, engagement of outside advisors and experts, assessment and utilization of both commercial and self-insurance opportunities, customer contract standardization where possible, legal review of vendor engagements and new products for regulatory compliance, regular operations reviews with the Chief Executive Officer and Risk Committee. E2open utilizes the foregoing systems and processes to best ensure effective management of our risks and associated cybersecurity threats. The EVP reports to the Risk Committee at least quarterly on the status of our Cyber Risk Program. Engagement of Third Parties As part of our Cyber Risk Program, we engage outside independent auditors, consultants, and professional advisors. We also engage industry-leading cybersecurity service and systems providers to assist with protection from and detection of cybersecurity threats and incidents and our responses to them. Risks from Third Party Service Providers and Others Our cybersecurity team, under the oversight of the SVP, performs risk assessments on third party service providers and other third parties (such as partner companies), as well as third party software and hardware utilized in its operations, that may have the potential to create cybersecurity threats to our data and operations. 38 Risks from Cybersecurity Threats Likely Material Impact See the risk factor entitled Cyber-attacks and security vulnerabilities could result in serious harm to our reputation, business and financial condition. in Item 1A, Risk Factors . We do not believe any risks from previous cybersecurity threats have materially affected or are reasonably likely to materially affect E2open.

Company Information