|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We believe cybersecurity is a critical element in our business and in enabling digital transformation for our clients. EPAM and our clients and suppliers all face risks from cybersecurity threats and a cybersecurity incident impacting any or all of us could materially adversely affect our operations, performance, reputation, and results of operations. For these reasons, EPAM maintains a cybersecurity risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. Our cybersecurity risk management program includes periodic reviews of our risks and responses as well as company-wide risk assessments by internal and external cyber risk professionals and is designed to address risks related to both EPAM’s corporate information technology network and our cybersecurity services.
The governance structure, controls, and processes of our information security programs are based on industry best practices, our own practices and frameworks, and codified cybersecurity and information technology standards, including compliance with the International Organization Standardization/International Electrotechnical Commission 27001:2002 Information Security Management Systems standard, the International Standard on Assurance Engagements 3402 standard, as well as applicable laws and regulations. We are regularly subject to evaluations, assessments, audits, tests, and compliance inspections by clients and third-party auditors that we or our clients engage to evaluate and test our cybersecurity risk management processes. We have established processes and a committee to gather facts to make a multi-layered evaluation and determination of the impact and materiality of cybersecurity incidents and to apply information learned from each incident to protect EPAM, its personnel, and its clients from future cybersecurity risks.
In addition to internal and external assessments of our own preparedness, we also seek to evaluate cybersecurity risks arising from our vendors and other third-party service providers. We review third-party cybersecurity controls through questionnaires, audits, and contract reviews, including adding security and privacy addenda to our contracts where applicable, and generally receive or commission system and organization controls reports, if available. We also generally require that our vendors report cybersecurity incidents to us so that we can assess the impact of an incident if it occurs. Vendors that are unable to provide adequate reporting or that have access to sensitive data generally have their cybersecurity processes and procedures reviewed and our relationship with that vendor is further assessed on the basis of those reviews. Our assessment of risks associated with use of third-party providers is part of our overall cybersecurity risk management framework.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|In 2024, the Board delegated cybersecurity and information technology systems oversight to the Audit Committee while simultaneously creating a subcommittee of the Audit Committee solely focused on EPAM’s cybersecurity and information security, including risk monitoring, assessment and management systems and policies. The purpose of the delegation was to increase bilateral access and communication between our cybersecurity management and our Board members and to supplement and accelerate the cadence of cybersecurity updates and discussion in addition to the regular briefings provided to the entire Board.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Audit Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|In 2024, the Board delegated cybersecurity and information technology systems oversight to the Audit Committee while simultaneously creating a subcommittee of the Audit Committee solely focused on EPAM’s cybersecurity and information security, including risk monitoring, assessment and management systems and policies. The purpose of the delegation was to increase bilateral access and communication between our cybersecurity management and our Board members and to supplement and accelerate the cadence of cybersecurity updates and discussion in addition to the regular briefings provided to the entire Board.
|Cybersecurity Risk Role of Management [Text Block]
|
Several of the members of our Board of Directors have extensive experience in the information technology and information security industries, so our entire Board historically oversaw EPAM’s cybersecurity risk exposure and our management’s processes for identifying, monitoring, and mitigating cybersecurity risks. In 2024, the Board delegated cybersecurity and information technology systems oversight to the Audit Committee while simultaneously creating a subcommittee of the Audit Committee solely focused on EPAM’s cybersecurity and information security, including risk monitoring, assessment and management systems and policies. The purpose of the delegation was to increase bilateral access and communication between our cybersecurity management and our Board members and to supplement and accelerate the cadence of cybersecurity updates and discussion in addition to the regular briefings provided to the entire Board.
In addition to regular and periodic updates to the cybersecurity subcommittee, our Chief Information Security Officer and our Head of Global Operations brief the Board on our cybersecurity and information security programs and risks, both as a regular, standalone topic and as part of EPAM’s enterprise risk management program, where it remains rated as a high priority risk that has been integrated into our regular enterprise risk management assessments. Members of the Board or its leadership, as well as designated members of functional areas such as legal and communications, are also informed of cybersecurity incidents with the potential to have a business impact on EPAM, even if the incidents are not material to EPAM.
Our information security programs are led by our Chief Information Security Officer and our Head of Global Operations and encompass our overall information security strategy, policy, operations, and threat detection and response management. Our information security leadership has more than 50 years of combined experience in software product engineering, security, and IT services, with extensive operational, cybersecurity, and global management experience in our or other corporate information security roles and organizations. Our information security leadership is also responsible for notifying our management and members of the Board about cybersecurity threats and incidents. Our information security team reports to our information security leadership and selects, deploys, and operates cybersecurity technologies, initiatives, and processes across our global footprint and develops and monitors government, public, and private threat intelligence sources to continually enhance our enterprise security structure and system resilience. Our personnel and end-users who are not assigned to our information security organization also contribute to our cybersecurity defense matrix by engaging in various learning modules and events, including simulations, tabletop exercises, and mandatory annual compliance and threat awareness training. The results and feedback from our exercises and training programs are subsequently incorporated into our evolving cybersecurity strategy. We built a security operations center to constantly monitor our global information security posture and to receive threat notifications and coordinate the investigation and remediation of alerts. In the event of an incident, we have developed detailed incident response playbooks that outline the identification, assessment, remediation, and prevention steps that we follow when responding to a cybersecurity threat.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|In addition to regular and periodic updates to the cybersecurity subcommittee, our Chief Information Security Officer and our Head of Global Operations brief the Board on our cybersecurity and information security programs and risks, both as a regular, standalone topic and as part of EPAM’s enterprise risk management program, where it remains rated as a high priority risk that has been integrated into our regular enterprise risk management assessments. Members of the Board or its leadership, as well as designated members of functional areas such as legal and communications, are also informed of cybersecurity incidents with the potential to have a business impact on EPAM, even if the incidents are not material to EPAM.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our information security leadership has more than 50 years of combined experience in software product engineering, security, and IT services, with extensive operational, cybersecurity, and global management experience in our or other corporate information security roles and organizations.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Members of the Board or its leadership, as well as designated members of functional areas such as legal and communications, are also informed of cybersecurity incidents with the potential to have a business impact on EPAM, even if the incidents are not material to EPAM.Our information security team reports to our information security leadership and selects, deploys, and operates cybersecurity technologies, initiatives, and processes across our global footprint and develops and monitors government, public, and private threat intelligence sources to continually enhance our enterprise security structure and system resilience.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef