AGILYSYS INC 10-K Cybersecurity GRC - 2025-05-23

Page last updated on May 26, 2025

AGILYSYS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-05-23 18:35:15 EDT.

Filings

10-K filed on 2025-05-23

AGILYSYS INC filed a 10-K at 2025-05-23 18:35:15 EDT
Accession Number: 0000950170-25-076527

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We have an enterprise-wide information security program designed to identify, protect, detect, respond to and manage reasonably foreseeable cybersecurity risks and threats. To protect our information systems from cybersecurity threats, we use various security tools and third-party managed security services that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, internal reporting, monitoring and detection tools. Security awareness training is also a key component of our information security program and involves required training for our employees several times per year. We also evaluate the information security of potential partners and vendors as part of our vendor selection process and attempt to negotiate adequate protections from such third parties when we enter into contracts with them. Although our security program is designed to identify, prioritize, assess, mitigate and remediate third party risks, we rely on our partners and vendors to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful. We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We use a widely-adopted risk quantification model to identify, measure and prioritize cybersecurity and technology risks and develop related security controls and safeguards to mitigate such risks. We conduct regular reviews and tests of our information security program and also leverage tabletop exercises, penetration and vulnerability testing, 25 and third-party red team exercises to evaluate the effectiveness of our information security program and improve our security measures. We also engage an external auditor to conduct an annual Security and Organizational Controls 2 (SOC 2) examination of the security controls for systems storing customer data. The external auditor additionally conducts an annual payment card industry (PCI) data security standard review of our security controls that protect payment information. Our systems periodically experience attacks intended to lead to interruptions and delays in our services and operations as well as loss, misuse or theft of personal information (of third parties, employees, and our customers) and other data, confidential information or intellectual property. However, no cybersecurity incidents have had a material impact on our business, financial condition or results of operations, and we are not presently aware of any cybersecurity threats that are reasonably likely to materially affect us. Any significant disruption to our service or access to our systems could result in a loss of customer data and adversely affect our business and results of operation. Further, a penetration of our systems or a third-party’s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputation risk, which could have a material adverse effect on our business, financial condition and results of operations. See “Risk Factors - Cyber-attacks involving our systems and data could expose us to liability or harm our reputation and have a material adverse effect on our business.” The Vice President and Chief Information Security Officer (CISO) leads the global information security organization responsible for overseeing our information security program. Our CISO has over 25 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies, and is a Certified Information Security Professional and Information Systems Security Architecture Professional. Team members who support our information security program have relevant educational and industry experience, including having held similar positions at large technology companies. Given the nature of our business, management is highly focused on identifying and managing cybersecurity risks, and our CISO and information security teams provide regular reports to senior management and other relevant teams on various cybersecurity threats, assessments and findings. The Board has primary responsibility for oversight of the Company’s cybersecurity risks. The Audit Committee is also responsible for reviewing the Company’s cybersecurity risks and the steps that management has taken to protect against threats to the Company’s information systems and security. The Audit Committee has formed a Cybersecurity Risk Subcommittee consisting of two independent directors to assist the Audit Committee in its oversight of cybersecurity risks. By its charter, all members of the Cybersecurity Risk Subcommittee must have a background or experience in information technology or cybersecurity and an understanding of cyber threats, risk mitigation and policy. The results of our SOC 2 and PCI assessments are annually reported to the Cybersecurity Risk Subcommittee. Both the Subcommittee and the Board receive regular reports from our CISO on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance. The Board also oversees our annual enterprise risk assessment, where we assess key risks within the company, including cyber security and technology risks.

Company Information