UiPath, Inc. - (PATH)
10-K Filing Date: March 27, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have implemented and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats (which we refer to as information security threats) to our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data. Our critical data includes intellectual property, confidential information that is proprietary, strategic, or competitive in nature, and personal and sensitive information related to our employees, prospective employees, third-party service providers, and our customers. Together, we refer to these systems and data as our Information Assets, Systems, and Data).
Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, and standards and policies designed to manage and mitigate material risks from information security threats to our Information Assets, Systems, and Data, including, for example: using manual and automated monitoring tools; conducting scans of our threat environment; subscribing to reports and services that identify information security threats; analyzing reports of threats and actors; evaluating threats reported to us; conducting and using third parties to conduct tests of certain systems; coordinating with law enforcement concerning certain threats; having third parties conduct threat assessments; conducting threat assessments and vulnerability assessments to identify vulnerabilities; evaluating our and our industry’s risk profile; conducting penetration testing; having third parties conduct red/blue team testing and tabletop incident response exercises; using external intelligence feeds; and conducting various threat model exercises. The level of investment and maturity of each of these measures are mapped directly to our risk management program.
Our assessment and management of material risks from information security threats are integrated into our overall risk management processes. For example: (1) information security risk is addressed as a component of our enterprise risk management program and identified in our risk register; (2) the information security team with enterprise input from other teams, including our risk management, internal audit, security, and technology management personnel, works with management to prioritize our risk management processes and mitigate information security threats that have a higher likelihood of leading to a material impact to our business; (3) our global risk and compliance team, under the direction of our CISO, evaluates material risks from information security threats against our overall business objectives.
We use third-party service providers to assist, from time to time, in identification, assessment, and management of material risks from information security threats, including but not limited to penetration testing firms, professional services firms, external legal counsel, threat intelligence service providers, information security consultants and software providers, managed cybersecurity service providers, and forensic investigators. Further, we use third-party service providers to perform a variety of functions throughout our business, such as application providers and hosting companies. We use certain vendor management processes to help manage information security risks associated with our use of certain of these providers. Depending on the nature of the services provided, the sensitivity of the Information Assets, Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify information security risks associated with a provider and impose contractual obligations related to information security on the provider, including, for example: conducting risk assessments and vulnerability scans related to our vendors’ services; requiring our vendors to complete security questionnaires; reviewing our vendors’ written security programs and security assessments; conducting and maintaining reports on our vendors; reviewing our vendors' third-party audit reports; conducting security assessment calls with our vendors’ security personnel; and imposing certain contractual obligations on our vendors. We apply mitigations and processes based on our evaluation of the sensitivity of the data accessed by the vendor and the maturity of the vendor's programs. Reports from our third-party vendors are treated as an intake to our incident response process. We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, financial condition, or results of operations. However, like other companies in our industry, we and our third-party vendors have from time to time experienced threats and security incidents that could affect our information or systems.
55
For a description of the risks from information security threats that may materially affect us and how they may do so, see Risk Factors—Risks Related to Data Privacy and Cybersecurity in Part I, Item 1A of this Annual Report on Form 10-K.
Governance
In fiscal year 2024, our information security risk assessment and management processes were implemented and maintained by certain of our management, including our CISO, our Chief Technology Officer—Cloud, and our Senior Director of Security Operations. Our CISO has over 30 years of experience developing and leading IT product security teams across multiple technology domains, and previously held leadership positions at several large technology companies. Our Chief Technology Officer—Cloud holds a Master of Science degree in Computer Engineering and has over 20 years of experience in various IT leadership roles, including most recently as Head of Engineering within a large technology company's Cloud and IT division. Our Senior Director of Security Operations has over 12 years of experience in IT security and is a Certified Information Systems Security Professional.
Our CISO and information security team are responsible for hiring appropriate information security personnel, helping to integrate information security risk considerations into our overall risk management strategy, and communicating key priorities to relevant personnel. The CISO and CISO's leadership team are responsible for approving budgets, approving information security processes, helping to prepare for possible cybersecurity incidents, and reviewing security assessments and other security-related reports. Other teams are also involved in aspects of this work.
The CISO regularly reports to senior management and the board of directors on the oversight of our information security program. The CISO is also a member of the senior leadership team that meets quarterly on risk and compliance, which includes executives throughout the company who oversee areas such as finance, accounting, investor relations, people, legal and compliance, IT, and product and engineering. This committee meets regularly, as relevant, to discuss oversight of the information security program, program enhancements, and new risks or threats the company might be facing. The company has established, as part of its incident response program, a smaller senior executive committee to oversee and manage information security incidents or vulnerabilities, assessed by severity and/or known or threatened impact. Security management and others work with our incident response team to help mitigate and remediate information security incidents of which they are notified. In addition, our incident response plan includes reporting to the board of directors for certain information security incidents.
The CISO reports at least quarterly to the audit committee of the board of directors. Pursuant to its charter, the audit committee has, as an area of focus, the adequacy and effectiveness of our information security and cybersecurity policies and practices. The board of directors retains overall responsibility for assessing the our major risks and considering ways to address those risks, and addresses our information security risk management as part of its general oversight function. Through its meetings with management, including the information security, internal audit and legal and compliance functions, the audit committee reviews and discusses significant areas of our business and summarizes key areas of risk and relevant mitigating factors for the board of directors.