DOMO, INC. - (DOMO)

10-K Filing Date: March 28, 2024
Item 1C. Cybersecurity
Domo has an established cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of its critical systems, internal networks, and information. This program implements policies, processes, and controls to respond to cybersecurity threats and mitigate business impacts. Management is responsible for day-to-day administration of Domo’s cybersecurity policies, processes, practices, and risk management.
Our board of directors recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. Our board of directors is actively involved in oversight of our risk management program, and cybersecurity represents an important component of our overall approach to enterprise risk management (“ERM”).

We have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that materially affected our organization, including its business strategy, results of operations, or financial condition. However, we face ongoing and increasing cybersecurity risks, including from bad actors that are becoming more sophisticated and effective over time. If realized, these risks are reasonably likely to materially affect our organization. Additional information on the cybersecurity risks we face is discussed in Part I, Item 1A, “Risk Factors.”
Risk Management and Strategy
We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. We routinely assess risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. Our cybersecurity policies, standards, processes, and practices are informed by recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and an array of other applicable standards-setting bodies, which are integrated into a broader risk management framework and related processes. We also hold various security-related industry certifications and attestations that have been validated by external auditors, including SOC 1, SOC 2, ISO 27001, ISO 27018, HITRUST, HIPAA, and others.

We conduct annual risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.

Following these risk assessments, we evaluate whether and how to re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. We devote significant resources and designate high-level personnel, including our Chief Information Security Officer who reports to our Chief Technology Officer, to manage the risk assessment and mitigation process.

As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with human resources, IT, and management. Personnel at all levels and departments are made aware of our cybersecurity policies through trainings.

We engage assessors, consultants, and auditors in connection with our risk assessment processes. These service providers assist us to design and implement our cybersecurity policies and procedures, as well as to monitor and test our safeguards.

We require each third-party service provider which have access to or a relationship to our systems or data to certify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company.
57


Governance
One of the key functions of our board of directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our board of directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our board of directors administers its cybersecurity risk oversight function directly as a whole, as well as through the audit committee.

We have a unified and centrally coordinated team, led by our Chief Information Security Officer (CISO), that is responsible for implementing and maintaining centralized cybersecurity and data protection practices in close coordination with executive leadership team including CEO, CTO, CFO, CLO, CHRO, and other members of the senior leadership team. The CISO has extensive experience in the management of cybersecurity risk management programs, having served in various leadership roles in information technology and information security for over 18 years. He also holds an undergraduate degree in information systems and a master’s degree in business administration and accounting. We believe the Company’s business leaders, including our CEO, CFO, CTO, CHRO, and CLO, who have experience managing cybersecurity risk at Domo and at similar companies, have the appropriate expertise, background and depth of experience to manage risks arising from cybersecurity threats. Reporting to our Chief Information Security Officer are several experienced security engineers, and governance, risk, and compliance professionals. In addition to our in-house cybersecurity capabilities, we also engage with external assessors, consultants, auditors, or other third parties to assist with assessing, identifying, and managing cybersecurity risks.

Our CISO and our management committee on cybersecurity (security steering committee) oversee our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. Some key processes by which our CISO and security steering committee are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents include the following:

Identification and Reporting: We have implemented a robust, cross-functional approach to identifying, assessing, and managing cybersecurity threats and risks. Our program includes controls and procedures designed to properly identify, classify, and escalate cybersecurity risks to provide management with visibility and prioritization of risk mitigation efforts and to publicly report material cybersecurity incidents when appropriate.

Threat Intelligence: We have established a Threat Intelligence team focused on profiling, intelligence collection, and threat analysis supporting our ongoing efforts to identify, assess and manage cybersecurity threats. The team’s input supports both near-term response to cybersecurity events, and long-term strategic planning and development of our cybersecurity risk management framework.

Technical Safeguards: We deploy, maintain, and regularly monitor the effectiveness of technical safeguards that are designed to protect our information systems from cybersecurity threats. We make investments in core security capabilities, including awareness and training, identity and access, incident response, product security, cloud security, enterprise security, risk management, and supply chain risk, to enable us to better identify, protect, detect, respond to, and recover from evolving security threats. Our technical safeguards include firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through internal and external security assessments and cybersecurity threat intelligence. We regularly assess our safeguards through internal testing by our assurance teams. We also leverage external third-party testing (e.g., penetration testing, attack surface mapping, and security maturity assessments).

Incident Response and Recovery Planning: We have established and maintain robust incident response, business continuity and disaster recovery plans designed to address our response to a cybersecurity incident. We conduct regular tabletop exercises involving multiple operational teams, including senior management, to test these plans and to familiarize personnel with their roles in a response scenario.

Third-Party Risk Management: We maintain a robust, risk-based approach to identifying and overseeing cybersecurity threats presented by certain third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a significant cybersecurity incident affecting those third-party systems.

Education and Awareness: We regularly provide employee training on security-related duties and responsibilities, including knowledge about how to recognize security incidents and how to proceed if an actual or suspected incident
58


should occur. This training is mandatory for employees across our organization and is intended to provide our employees and contractors with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices.

Our CISO provides quarterly briefings to the audit committee regarding our company’s cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like. Our audit committee provides regular updates to the board of directors on such reports.