Rackspace Technology, Inc. 10-K Cybersecurity GRC - 2026-03-06

Page last updated on March 6, 2026

Rackspace Technology, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-06 16:07:05 EST.

Filings

10-K filed on 2026-03-06

Rackspace Technology, Inc. filed a 10-K at 2026-03-06 16:07:05 EST
Accession Number: 0001810019-26-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C - CYBERSECURITY We are materially dependent upon our networks, information technology infrastructure, and related technology systems to provide services to our customers, manage our internal operations and support our strategic objectives. Cyber-attacks have become prevalent in our industry, and the techniques used to sabotage or obtain unauthorized access to systems are constantly expanding and evolving. Malicious actors are increasingly sophisticated in their methods, tactics, techniques, and procedures, seeking to steal money, gain unauthorized access to, destroy or manipulate data, and disrupt operations. Based on information known to management through our established processes and policies as of the date of this report, we have not identified any cybersecurity threats or cybersecurity incidents that have materially affected or are reasonably anticipated to have a material adverse effect on our business. However, we have experienced and expect to continue to experience cybersecurity threats and cybersecurity incidents. In December 2022, we previously disclosed a ransomware incident that caused service disruptions for our Hosted Exchange customers. In addition, in March 2025, a malicious actor publicly claimed to have gained unauthorized access to certain of our data, but after investigation and forensic analysis, we found no evidence of unauthorized access and did not correlate the data shared by the malicious actor to us or any of our customers. We maintain governance and oversight processes designed to manage cybersecurity risks and implement controls and practices intended to identify, protect, detect, respond to and recover from cybersecurity risks and incidents; however, we cannot provide assurance that cybersecurity risks will not materially affect our business (or the systems we host for our customers) in the future, including our business strategy, results of operations, or financial condition, nor can we provide assurance that our controls, processes and procedures will operate as intended in all circumstances. Cybersecurity threats, whether or not successful, could result in significant costs related to rebuilding our internal systems, writing down inventory value, implementing additional threat protection measures, providing modifications or replacements to our products and services, defending against litigation, responding to regulatory inquiries or actions, paying damages, providing customers with incentives to maintain a business relationship with us, or taking other remedial steps with respect to third parties, as well as significant reputational harm. Cybersecurity threats continue to evolve, including with the advent of AI and GenAI, which may increase the difficulty of detecting and defending against such threats. See "Risk Factors - Security breaches, cyber-attacks and other interruptions to our or our third-party service providers' infrastructure have disrupted and may continue to disrupt our internal operations and we may be exposed to claims and liability, lose customers, suffer harm to our reputation, lose business-critical compliance certifications and incur additional costs." for more information on our cybersecurity risks. Risk Management and Strategy Cybersecurity risk management is a component of our broader enterprise risk management program, and we have established cybersecurity policies and procedures to identify, protect, detect, respond to and recover from cybersecurity risks and incidents in accordance with applicable law. We maintain a cross-functional approach to cybersecurity risk, which is designed to help identify, protect, detect, respond to and recover from cybersecurity threats. Our cybersecurity strategy focuses on implementation of controls, technologies, and other processes designed to assess, identify, manage and address material cybersecurity risks. These include, among other things: annual and ongoing security awareness training for employees; mechanisms to detect and monitor unusual network activity; processes to model the integrity of critical security controls; enforcement of computing system security policies; and containment and incident response tools. We monitor issues that are internally discovered or externally reported that may affect our operations, systems, network, data, products and/or services, and have processes to assess those issues for potential cybersecurity impact or risk. We assess and deploy technical safeguards intended to protect our information systems from cybersecurity threats. These safeguards may be evaluated and updated based on vulnerability assessments, cybersecurity threat intelligence and incident response experience. Our cybersecurity policies and procedures include incident response plans that address roles, responsibilities, and escalation protocols in connection with cybersecurity incidents, as appropriate. - 46 - Table of Contents Our team engages with external cybersecurity advisors and experts, including outside counsel and outside cybersecurity firms, assessors, auditors and consultants as necessary or appropriate. We also maintain numerous industry-related compliance certifications for various aspects of our business. These certifications and attestations apply to specified systems, services or processes and do not eliminate cybersecurity risk. In addition, they are point-in-time references and do not guarantee future performance. Our cybersecurity policies and procedures are designed to vet key third-party providers and provide for oversight and cooperation regarding cybersecurity incidents. In addition, our cybersecurity policies and procedures require our third-party providers to meet appropriate security requirements. We may investigate security incidents that have impacted our third-party providers, as appropriate; however, our ability to monitor our third-party service providers' data security is limited, consistent with industry practices. Governance Board Oversight The Audit Committee of our Board oversees our cybersecurity risk. The Audit Committee receives regular cybersecurity specific updates from management (including our Chief Information Security Officer ("CISO") and/or other key personnel), typically on a quarterly basis, about the identification, protection, detection, response and recovery from cybersecurity threats and cybersecurity incidents, as well as the evolving cybersecurity landscape and trends, notable incidents, recent program enhancements and other relevant topics. The nature and timing of information provided depends on the circumstances and materiality of the underlying risk or incident. The Audit Committee reports to our Board and certain of our Audit Committee and Board members have experience in assessing and managing cybersecurity risks. In addition to this regular reporting, significant cybersecurity risks or threats may also be escalated to the Audit Committee and/or the Board on an as-needed basis. Management's Role Our overall cybersecurity function and oversight of our cybersecurity team's efforts to identify, protect, detect, respond to and recover from cybersecurity risks and incidents is led by our CISO, who joined in March 2026. Our CISO is an experienced cybersecurity executive who has served as Chief Information Security Officer and Chief Security Officer for a global e-commerce platform, previously held senior leadership roles across technology and financial services organizations, including leading a major post-breach security recovery. He is responsible for governance, compliance, risk management, enterprise security transformation, and operational efficiency initiatives. Our CISO is supported by our Deputy CISO, who brings more than 15 years of experience in enterprise security, risk, and emerging technologies. He served in senior leadership roles including Deputy Chief Technology Officer and Head of Information Security, holds graduate degrees in Computer Science and Business Administration, and is CISSP-credentialed. He began his career in secure communications and cryptographic systems as a uniformed member of the United States Air Force. Our CISO and Deputy CISO lead a team of cybersecurity professionals who have extensive experience across multiple sectors, many of whom hold relevant industry certifications. Key security, risk, technology, legal, and compliance personnel, together with other cross-functional internal stakeholders and senior management, meet regularly with the cybersecurity team to develop, review and evaluate our cybersecurity policies and procedures, including discussions of the following: - cybersecurity strategies for preservation of the confidentiality, integrity and availability of company and customer information; - identification, protection, detection, response and recovery from cybersecurity threats and incidents; and - effective response to cybersecurity incidents (including escalation procedures to enable timely decisions regarding public disclosure and other required reporting by appropriate personnel). Under our global incident response process, cybersecurity incidents are assessed and classified by severity, and incidents are escalated as appropriate to executive leadership. In addition, we have a process to promptly notify the Audit Committee and the Board , as appropriate, in the event a cybersecurity incident may be material. Materiality determinations are made in accordance with our disclosure controls and procedures. - 47 - Table of Contents

Company Information