8X8 INC /DE/ 10-K Cybersecurity GRC - 2025-05-22

Page last updated on May 26, 2025

8X8 INC /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-05-22 16:04:01 EDT.

Filings

10-K filed on 2025-05-22

8X8 INC /DE/ filed a 10-K at 2025-05-22 16:04:01 EDT
Accession Number: 0001023731-25-000039

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity 8x8 recognizes that cybersecurity is critical to the trust placed in our platform by customers, partners, and other stakeholders. The Company is committed to maintaining the confidentiality, integrity, and availability of its systems and data through a comprehensive cybersecurity risk management and governance framework. Cybersecurity Risk Management and Strategy 8x8 maintains a global cybersecurity risk management program aligned with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. This program is integrated and embedded within the Company’s overall enterprise risk management, or ERM, process and designed to proactively identify, assess, and manage cybersecurity threats that could materially affect our business operations, financial condition, or reputation. Key components of the program include: - Continuous threat monitoring and intelligence , with real-time detection capabilities across cloud and on-premise environments. - Periodic risk assessments and threat modeling , covering internal assets and supply chain exposure. - Third-party penetration testing , security audits, and independent assessments conducted at least annually. - A vulnerability management lifecycle to identify, prioritize, and remediate security flaws in infrastructure and applications. - Employee cybersecurity training and phishing simulations , tailored by role and location. 8x8 engages reputable external security firms and consultants to support ongoing evaluations , and has obtained certifications and attestations across various jurisdictions and industries (including ISO/IEC 27001, CyberEssentials Plus et al, and compliance with frameworks applicable to communications and cloud service providers). To date, the Company has not experienced any cybersecurity incidents that have materially impacted its operations or financial condition. Nevertheless, cybersecurity threats continue to evolve, and the Company has developed and implemented a comprehensive Incident Response Plan to effectively manage cybersecurity incidents. The plan is regularly reviewed, tested, and updated to facilitate its effectiveness in mitigating and responding to cybersecurity threats promptly. Governance The Company’s board of directors, through its Technology & Cybersecurity Committee, oversees 8x8’s cybersecurity risk management strategy. This committee meets quarterly and receives briefings from senior leadership on cybersecurity risk trends, controls testing and efficacy, compliance posture, and incident management preparedness. The full board of directors is informed at least annually on cybersecurity matters, with additional updates as needed. The Company’s Chief Information Security Officer, or CISO, leads the cybersecurity program and reports functionally to the Chief Legal Officer, and periodically to the CEO, the Executive Risk Management Committee, and the board of directors. The CISO has over 25 years of global cybersecurity, information security, disaster recovery, and business continuity experience, including leadership roles across UK national infrastructure and global Fortune 100 and 500 companies. The CISO holds an M.S. in Information Technology Security (with distinction), and is a Certified Information Security Manager, or CISM, and Certified Information Systems Security Professional, or CISSP. While the board of directors has not formally designated a cybersecurity expert under SEC regulations, the Technology & Cybersecurity Committee includes directors with backgrounds in technology, data governance, and risk oversight, and all directors participate in training sessions to continue to enhance their understanding of cybersecurity issues and their implications for the Company. 33

Company Information