E2open Parent Holdings, Inc. 10-K Cybersecurity GRC - 2025-04-29

Page last updated on April 30, 2025

E2open Parent Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-04-29 16:32:16 EDT.

Filings

10-K filed on 2025-04-29

E2open Parent Holdings, Inc. filed a 10-K at 2025-04-29 16:32:16 EDT
Accession Number: 0000950170-25-060216

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our processes for assessing, identifying and managing material risks from cybersecurity threats are embodied in our enterprise-wide cybersecurity risk management program (Cyber Risk Program), which governs our cybersecurity oversight and management structure as well as our cybersecurity strategy and processes. Governance Structure Board of Directors Oversight The Risk Committee of our board of directors is responsible for the oversight of our Cyber Risk Program. The Chief Legal Officer provides quarterly updates to the Risk committee regarding the status, findings and developments within the Cyber Risk Program. In addition, the Risk Committee receives updates and presentations from the Senior Vice President, Information Security and Compliance (SVP) at each Risk Committee meeting that cover, among other things, our cyber incidents and responses, ongoing cyber threats, material risks, deployment of cybersecurity controls and risk mitigants, engagement of third parties (e.g., consultants and auditors) and third-party tools, our cyber insurance coverages and our employee-training programs . The Risk Committee then reports to the full board of directors at each regular meeting of the board of directors. Additionally, at least one member of our board of directors possesses cybersecurity risk oversight experience, which contributes to the board’s ability to understand and evaluate cybersecurity-related matters. Management’s Assessment and Management of Cybersecurity Threats Members of the executive management team, along with others from senior management and others with varying areas of expertise, are engaged as part of our Cyber Risk Program: - Senior Vice President, Information Security and Compliance: Our SVP manages our Cyber Risk Program and reports directly to the Chief Legal Officer. He manages the day-to-day information security operation, oversees our security analysts and engineers and is a member of our Cybersecurity Subcommittee. He is trained in cybersecurity strategy, planning and execution and holds industry recognized security certification, including Certified Information Systems Security Professional (CISSP) from the International Information System Security Certification Consortium (ISC2) and Certified Information Security Manager (CISM) from the Information Systems Audit and Control Association (ISACA). Our SVP has extensive experience regarding cybersecurity matters and threats affecting business-to-business software and cloud service vendors such as E2open. - Chief Legal Officer: Our Chief Legal Officer, who also serves as our Acting Chief Risk Officer, supervises the SVP’s management of our Cyber Risk Program and is the chair of our Cybersecurity Subcommittee of our Disclosure Committee. Our Chief Legal Officer has experience providing legal advice regarding cybersecurity-related programs as well as engaging with outside advisors and insurance brokers and underwriters on cybersecurity coverage, claims and loss mitigation. 33 - Cybersecurity Subcommittee of the Disclosure Committee: We have created a Cybersecurity Subcommittee of our management Disclosure Committee which includes, the Chief Legal Officer, SVP and Chief Accounting Officer. The Cybersecurity Subcommittee meets to discuss and evaluate whether certain cybersecurity incidents require public disclosure and makes recommendations regarding disclosure to the Disclosure Committee. Additionally, the Chair of the Subcommittee shall convene a meeting when either: (a) she believes a reported incident or the occurrence of a series of related incidents, requires the analysis and discussion of the Subcommittee; or (b) when any member of the Subcommittee believes that such a discussion would be appropriate. Such meeting shall be convened within 48 hours of the incident, or sooner if reasonably practicable, to expediate a materiality determination for public company reporting purposes. This Cybersecurity Subcommittee is pivotal in ensuring timely disclosure of material information and complying with the SEC’s final rules on cybersecurity risk governance adopted in late 2023. - Cyber Response Team: Pursuant to our Crisis Response Program, our Response Team, which comprises the Chief Legal Officer, Chief Financial Officer and an expanded team from our material business lines and administrative departments, as well as outside advisors/experts (cyber forensics, external legal counsel, law enforcement, public relations), is charged with managing the Company through a cybersecurity incident (or other event or series of events) that rise to the level of a Company “crisis.” The Program includes protocols by which the Chief Legal Officer or Chief Financial Officer, on behalf of the Response Team, will report to or engage the Chief Executive Officer and the Chairman of the board of directors if and when an incident becomes a crisis or potential crisis. - Other Roles: The Cyber Risk Program includes engagement of other Company management employees and outside service providers to oversee or perform specific roles in connection with cybersecurity risk assessment and management, and incident management. That includes risk and security heads from our material business lines who implement and administer policies specific to those business lines. Risk Management and Strategy Overview of Processes for Assessing, Identifying, and Managing Material Cyber Risks The principal objectives of our Cyber Risk Program are to minimize the risks associated with cybersecurity threats to our business operations, financial performance and financial condition, and protect the confidential information, intellectual property and other assets of E2open, and those of our clients, vendors, partners, employees and consumers that can be at risk due to cybersecurity threats to E2open. We have incorporated industry recognized cybersecurity frameworks and standards into our Cyber Risk Program, including frameworks from the National Institute of Standards and Technology (NIST) and security control auditing protocols from the Center for Internet Security (CIS) and the International Organizations for Standardization (ISO). Recognizing that the nature of cybersecurity threats and the particular threat vectors we face continually change, we continue to invest in updating and enhancing our Cyber Risk Program. Under our Cyber Risk Program, our SVP, and the cybersecurity staff, along with the Cyber Response Team, with input where appropriate from our third-party advisors, work to identify our cybersecurity threats, assess the risks and deploy appropriate technologies and processes to mitigate the risks. When cybersecurity incidents occur, these resources work to manage through the incident utilizing advanced security tools and playbooks, and in accordance with processes set out in our various policies and practice documents, which include internal communications protocols to keep the executive team and, where appropriate, the Risk Committee and board of directors informed. Pertinent policy and practice documents include, among others, our Crisis Response Plan, which describes the detailed processes and procedures that should be followed in the event of a cybersecurity incident. As an important cybersecurity risk mitigant, E2open provides mandatory training to its new hires and existing employees on a regular basis, including phishing simulation tests and follow-up tests as needed, along with monthly cybersecurity newsletters and other cyber risk-related communications. Integration into Overall Risk Management System or Processes The Cyber Risk Program is integrated into our overall risk management systems and processes. Our risk management systems and processes comprise numerous components, including published policies and procedures, risk detection systems, tools and protocols (automated and human); internal and external independent auditing; management committee review; defined lines of communications; employee training; engagement of outside advisors and experts; assessment and utilization of both commercial and self-insurance opportunities; client contract standardization where possible; legal review of vendor engagements and new products for regulatory compliance; and regular operations reviews with the Chief Executive Officer and Risk Committee. E2open utilizes the foregoing systems and processes to best ensure effective management of our risks and associated cybersecurity threats. 34 Engagement of Third Parties As part of our Cyber Risk Program, we engage outside independent auditors, consultants, and professional advisors. We use independent auditors to certify compliance with internal control over financial reporting, the American Institute of Certified Public Accountants’ Systems and Organization Controls (SOC 2) security framework. We also conduct reviews for compliance with data protection regulation such as Europe’s GDPR and regulation of various U.S. states as the California Consumer Privacy Act (CCPA). We also engage industry-leading cybersecurity service and systems providers to assist with protection from and detection of cybersecurity threats and incidents and our responses to them. Risks from Third Party Service Providers and Others Our cybersecurity team, under the oversight of the SVP, performs risk assessments on third party service providers and other third parties (such as partner companies), as well as third party software and hardware utilized in its operations, that may have the potential to create cybersecurity threats to our data and operations. Based on the results of these regular assessments (including assessments made before engaging a third party), we may decide to take action to address and mitigate certain risks or determine that the risk is not acceptable and terminate the relationship with the third party (or determine not to engage a third party). Risks from Cybersecurity Threats-Likely Material Impact See the risk factor entitled Cyber-attacks and security vulnerabilities could result in serious harm to our reputation, business and financial condition. in Item 1A, Risk Factors . To date, we have not identified any material cybersecurity threats or incidents that have materially affected our business strategy, results of operations or financial condition. However, we cannot guarantee that future incidents will not have a material impact.

Company Information