Samsara Inc. - (IOT)

10-K Filing Date: March 26, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have established policies and processes for assessing, identifying, and managing material risks from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. We routinely assess material risks from cybersecurity threats, including any potential unauthorized activity on or conducted through our production and information systems that may result in adverse effects on the confidentiality, integrity, or availability of our systems or any information residing therein.
62

We routinely conduct risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change that may affect production and information systems that are vulnerable to such cybersecurity threats and assessments in the event Samsara-specific or industrywide relevant vulnerabilities are discovered. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.
Following these risk assessments, we evaluate whether, and if so, how, to design, implement, and maintain reasonable safeguards to mitigate identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. For example, to advance and demonstrate our commitment to data security and privacy, we have achieved four cybersecurity-related certifications under standards promulgated by the International Organization for Standardization (ISO). We devote significant resources and designate high-level personnel, including our Chief Information Security Officer (our “CISO”), who reports to our Chief Information Officer, to manage the cybersecurity-related risk assessment and mitigation process.
As part of our overall risk management system, we regularly monitor and test our safeguards and train our personnel on these and other safeguards, in collaboration with our human resources, business technology, and management teams. Personnel across the company are made aware of our cybersecurity policies and procedures through training.
We are regularly audited and assessed pursuant to the System and Organization Controls (SOC 2) established by the American Institute of Certified Public Accountants for reporting on internal control environments implemented within an organization. We regularly use the Cybersecurity Framework published by the National Institute of Standards and Technology–a framework of standards, guidelines, and best cybersecurity practices–to evaluate our security program and to plan improvement.
We engage assessors, consultants, outside counsel, and other third parties in connection with our cybersecurity-related risk assessment processes. These service providers assist us to design and implement our cybersecurity policies and procedures, as well as to monitor and test our safeguards. For example, we engage independent entities to conduct platform, infrastructure, and hardware-level penetration tests on at least an annual basis.
Like other technology companies, we have faced and expect to face cybersecurity threats on an ongoing basis. As of the date of this Annual Report on Form 10-K, however, we do not believe that any prior cybersecurity-related threats or incidents have materially affected our company. In addition, we require other third-party service providers with access to our systems or processing sensitive data for us to certify that they have the ability to implement and maintain reasonable and appropriate security measures, consistent with all applicable laws, in connection with providing services to us, and to promptly report any suspected breach of their security measures that may affect our company.
For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” including “Risk Factors—Risks Related to Our Business, Industry, and Operations: If we experience a security breach or incident affecting our customers’ assets or data, our data or IoT devices, our Data Platform, or other systems, our Connected Operations Cloud may be perceived as not being secure or safe, our reputation may be harmed, and our business could be materially and adversely affected.” and elsewhere in this Annual Report on Form 10-K.
Governance
A key function of our Board of Directors is informed oversight of our risk management processes, including risks from cybersecurity threats. Our Board of Directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our Board of Directors administers its cybersecurity risk oversight responsibilities as a whole, as well as through our Audit Committee.
Our CISO is primarily responsible for assessing and managing our material risks from cybersecurity threats. Our CISO, as of the date of this report, has experience in cybersecurity leadership roles at Microsoft Corporation, where he helped drive core security programs for the Windows operating system, including platform integrity, cryptography, data protection, identity and access control. He also held a leadership role in the mergers and acquisition security program at Salesforce, Inc., which included the assessment and remediation of security of potential and approved acquisitions. After he obtained his Bachelor of Science Degree in Electrical Engineering, he served for eight years as a Nuclear Submarine Officer for the U.S. Navy. He also has a Master of Business Administration degree.
Our CISO is supported by a team of personnel with experience in cybersecurity, including at other public companies in the technology industry.
63

Our CISO oversees our cybersecurity policies and processes, including those described in the section titled “Risk Management and Strategy” above. The processes by which our CISO is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents include the following:
Ongoing threat intelligence monitoring aimed at helping Samsara identify threats that may impact Samsara’s production and information environments;
Mechanisms for real-time or otherwise prompt reporting through multiple channels, including e-mail and instant messaging to a team of on-call incident responders;
Supplemental retrospective reviews of reported incidents to identify trends and track resolution of incidents identified during the incident review process;
Routine product reviews to assess progress on key security initiatives, along with assessing existing and emerging product-related risks; and
Annual tabletop exercises in which we test our incident response procedures with management representatives from across the company.
Our CISO provides periodic briefings to our Audit Committee regarding cybersecurity risks and activities, including recent cybersecurity incidents and related responses, cybersecurity systems testing, cybersecurity training efficacy, and cybersecurity risks. As necessary, our Audit Committee provides periodic updates to our Board of Directors on such reports. In addition, our CISO provides periodic briefings to the Board of Directors on cybersecurity risks and activities.