Couchbase, Inc. - (BASE)
10-K Filing Date: March 26, 2024
Item 1C. Cybersecurity
As the provider of a leading cloud database platform for modern applications, cybersecurity risk management is an important component of our overall risk management program. As further described below, we have established policies, processes, and practices designed to identify and mitigate cybersecurity risk. However, at any given time, we cannot guarantee that we are aware of all material cybersecurity risks; that our employees or contractors will follow our security protocols; or that our risk management program will be effective in all cases. For information about the material cybersecurity risks that we face, see item 1A, “Risk Factors.” Although our Risk Factors include further detail about the cybersecurity risks we face, we believe that risks from prior cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our business to date.
Risk Management and Strategy
We have implemented and maintain policies and processes for assessing, identifying and managing material risk from cybersecurity threats based on industry standard frameworks and the results of our System and Organization Controls 2 (SOC 2), Type II, Cloud Security Alliance STAR and PCI DSS audits conducted by independent third-party auditors. These policies and processes have been integrated into our overall risk management program which includes:
Risk Assessments
We conduct periodic technical risk assessments to identify potential cybersecurity threats and material changes in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include an evaluation of reasonably foreseeable internal and external risks, the likelihood and potential impact that could result from such risks, as well as an evaluation of the effectiveness of existing policies, procedures, systems and safeguards in place to manage such risks. In addition to the security audits conducted by independent third-party auditors, we also leverage internal audits, tabletop exercises, blue team exercises, simulations and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. Further, we employ a range of third-party tools, safeguards and services, including firewalls, vulnerability management, Security Information & Event Management (SIEM), data loss prevention, email security, network and endpoint protection and penetration testing as part of the risk assessment process. The results of these assessments are reported to the audit committee of the board of directors.
Technical Safeguards
Based on our risk assessments, we define, implement and maintain safeguards designed to minimize identified risks, develop reasonable risk mitigation plans to address any identified gaps in existing safeguards and regularly monitor risk remediation efforts and the effectiveness of our safeguards. Our technical safeguards include firewalls, intrusion prevention and detection systems, anti-malware tools, multi factor authentication, mobile data management, data loss prevention, email security and access controls. These technical safeguards are evaluated and improved through regular vulnerability assessments and security threat intelligence.
Incident Management and Recovery
We have implemented a security incident management process designed to quickly minimize and contain the impact of an incident on the business, restore normal service operations and maintain service quality and availability levels. The security incident response process involves cross-functional coordination to identify, investigate, respond, contain and remediate the impact of any cybersecurity threats and incidents. Our security incident management process is also designed to allow us to evaluate potential legal obligations and mitigate any brand or other damages from incidents. In addition, we maintain cybersecurity insurance, however, the costs related to cybersecurity threats or disruptions may not be fully insured.
Third-Party Risk Management
We use third-party service providers to perform a variety of functions throughout our business, such as application providers and hosting companies. We have a vendor management program to manage cybersecurity risks associated with
47
our use of these providers. The program includes risk assessments for each vendor, security questionnaires and review of security reports. Depending on the nature of the services provided, the sensitivity of the information systems and data at issue and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider.
Training and Awareness
We conduct a variety of information security and privacy trainings, which include new hire training, annual security awareness training, organization-wide communications about known threats and phishing simulations.
Governance
Our board of directors oversees our management of cybersecurity risk through delegation to our audit committee. The audit committee provides strategic oversight of management’s cybersecurity risk management practices and receives regular and ad hoc reporting from management and our Chief Information Security Officer (who was our Senior Director of IT and Information Security prior to March 2024), including information about the prevention, detection, mitigation and remediation of material cybersecurity incidents, if any. Additionally, we leverage the cybersecurity experience of other members of our board of directors who participate in these updates from time to time. The audit committee regularly updates the board of directors regarding these matters.
Our cybersecurity risk management team is comprised of a team of technically skilled professionals with computer science degrees, cybersecurity credentials and professional experience in preventing, detecting, mitigating and remediating cybersecurity incidents and testing cybersecurity processes under the leadership of our Chief Information Security Officer. This team is responsible for assessing and managing cybersecurity threats on a full-time basis and, as of the first quarter of fiscal 2025, reports into our Chief Information Officer. The team works in close coordination with the Chief Financial Officer and Chief Legal Officer. Our Chief Information Security Officer has over two decades of experience in cybersecurity, information security, information technology and cloud services. He is currently a Certified Chief Information Security Officer, as certified by EC-Council. Additionally, he holds an engineering degree in computer science from Sri Jayachamarajendra College of Engineering, Mysore University and a master of business administration degree in technology management from the University of California, Davis.