Dell Technologies Inc. - (DELL)

10-K Filing Date: March 25, 2024
ITEM 1C — CYBERSECURITY

We face numerous cybersecurity threats that range from cyber-attacks common to most industries to attacks from more advanced and persistent threat actors that target large information technology companies with products and services operating in strategic sectors. We could be adversely affected by cybersecurity incidents affecting our systems or the systems of our suppliers and other third-party service providers. To address these threats, we expend considerable resources on cybersecurity risk management, strategy, and governance.

We assess, identify, and manage material cybersecurity risks in a number of ways. Our global security and resiliency organization, under the leadership of our Chief Security Officer (“CSO”), has established an internal governance structure to identify, assess, rate, and manage cybersecurity risks across the Company in an integrated manner. The security and resiliency organization advises each business unit and functional area on addressing cybersecurity risks and monitors initiatives to mitigate and manage such risks over time. Each business unit or functional area is responsible for managing risks and ensuring that security and resiliency policies and standards are implemented within the respective business unit or function. Compliance with our internal security and resiliency policies and standards is assessed by our internal audit team, which has a dedicated cybersecurity audit function.

Our security and resiliency organization includes a dedicated cybersecurity function led by our Chief Information Security Officer (“CISO”). As part of our cybersecurity function, the cybersecurity and intelligence response team (“CSIRT”) administers a program to monitor, detect, investigate, respond to, and escalate management of internal and external cybersecurity threats and incidents. The CSIRT provides threat intelligence information to our CSO, broader security and resiliency organization, and relevant business units and functional areas.

We also engage third parties in connection with our cybersecurity risk management processes, including cybersecurity consultants and auditors, to conduct evaluations of our security controls and provide certifications for industry-standard security frameworks, such as ISO27001 and PCI-DSS.

In addition to monitoring risks from threats to our own assets, we administer a third-party risk management program that endeavors to help identify and manage risks from cybersecurity threats arising from our suppliers and other service provider organizations. This program seeks to combine a methodology for risk ratings with targeted cybersecurity assessments, security-focused contractual requirements, and monitoring activities based on the risk profile of covered suppliers and service providers.

Our CSO reports to our General Counsel and has principal executive responsibility and oversight for the Company’s strategy, planning, and operations on the management of both physical and cybersecurity risk. Our CSO has extensive cybersecurity and program management experience and previously served in relevant leadership positions at another large multinational corporation and the U.S. Department of Defense. He is supported by our Chief Information Security Officer, who has extensive cybersecurity experience in both the private and public sectors, and a team of cybersecurity professionals with relevant and expansive educational and industry experience.

Cybersecurity risk management has been integrated into the Company’s overall enterprise risk management program (“ERM”) through the Company’s enterprise risk governing bodies, which are the Global Risk and Compliance Council (“GRCC”) and the Enterprise Risk Steering Committee (“ERSC”). Our CSO reports on cybersecurity risk to the GRCC and ERSC and also serves as a member of the ERSC. The CSO regularly meets with members of our executive leadership team to discuss cybersecurity risks, as well as related mitigation and remediation activities. In addition, information on cybersecurity risks is further integrated into our overall ERM through our central internal audit function, which incorporates such information in regular audits of our cybersecurity and data protection controls and processes.

Our Board of Directors oversees significant cybersecurity risks to the Company directly and through its Audit Committee. The Board of Directors meets with our CSO or his delegate annually to review significant cybersecurity risks as well as cybersecurity priorities and focus areas for the upcoming fiscal year. The Audit Committee meets with our CSO or his delegate quarterly to review significant cybersecurity incidents and risks, as well as progress made towards key cybersecurity initiatives and matters. The CSO may provide more frequent updates to the Board of Directors and Audit Committee if necessitated by a security incident or other developments. The Audit Committee reports regularly to our Board of Directors regarding the committee’s oversight of cybersecurity risk matters.


34


To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incident, have materially affected our business strategy, results of operations, or financial condition. Notwithstanding our investment in cybersecurity, we may not be successful in identifying a cybersecurity risk or preventing or mitigating a cybersecurity incident or product security vulnerability that could have a material adverse effect on our business, results of operations, or financial condition. For a discussion of cybersecurity risks affecting our business, see “Item 1A—Risk Factors—Risks Relating to Our Business and Our Industry.” Although we maintain cybersecurity insurance, the costs related to cybersecurity incidents may not be fully insured.

35